WordPress Plugin Vulnerabilities

New User Approve < 2.4 - Arbitrary Settings Update & Invitation Code Creation via CSRF

Description

The plugin does not have CSRF check in place when updating its settings and adding invitation codes, which could allow attackers to add invitation codes (for bypassing the provided restrictions) and to change plugin settings by tricking admin users into visiting specially crafted websites.

Proof of Concept

Affects Plugins

Plugin icon
new-user-approve
Fixed in 2.4

References

CVE
CVE-2022-1625

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Verified
Yes
WPVDB ID
e1693318-900c-47f1-bb77-008b0d33327f

Timeline

Publicly Published
2022-06-01 (about 3 years ago)
Added
2022-06-01 (about 3 years ago)
Last Updated
2023-02-28 (about 2 years ago)

Other

Published
Title
Published
2024-01-30
Title
BizPrint < 4.5.4 - Printer Settings Update via CSRF
Published
2022-10-28
Title
Booster for WooCommerce < 5.6.7 - Settings Reset via CSRF
Published
2025-12-04
Title
User Generator and Importer <= 1.2.2 - Cross-Site Request Forgery to Privilege Escalation via Arbitrary Administrator Account Creation
Published
2025-04-17
Title
Redirect wordpress to welcome or landing page <= 2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-01-16
Title
Category Custom Fields <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting