CVE-2022-1672 - OpenCVE

The Insights from Google PageSpeed WordPress plugin before 4.0.7 does not verify for CSRF before doing various actions such as deleting Custom URLs, which could allow attackers to make a logged in admin perform such actions via CSRF attacks

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Insights From Google Pagespeed Project	Insights From Google Pagespeed

Configuration 1 [-]

cpe:2.3:a:insights_from_google_pagespeed_project:insights_from_google_pagespeed:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://wpscan.com/vulnerability/5c5955d7-24f0-45e6-9c27-78ef50446dad

History

No history.

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2022-07-17T10:35:33

Updated: 2024-08-03T00:10:03.792Z

Reserved: 2022-05-11T00:00:00

Link: CVE-2022-1672

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-07-17T11:15:08.450

Modified: 2022-07-18T12:10:22.613

Link: CVE-2022-1672

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Insights from Google PageSpeed", "vendor": "Unknown", "versions": [{"lessThan": "4.0.7", "status": "affected", "version": "4.0.7", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Daniel Ruf"}], "descriptions": [{"lang": "en", "value": "The Insights from Google PageSpeed WordPress plugin before 4.0.7 does not verify for CSRF before doing various actions such as deleting Custom URLs, which could allow attackers to make a logged in admin perform such actions via CSRF attacks"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-17T10:35:33", "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wpscan.com/vulnerability/5c5955d7-24f0-45e6-9c27-78ef50446dad"}], "source": {"discovery": "EXTERNAL"}, "title": "Insights from Google PageSpeed < 4.0.7 - Multiple CSRF", "x_generator": "WPScan CVE Generator", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "contact@wpscan.com", "ID": "CVE-2022-1672", "STATE": "PUBLIC", "TITLE": "Insights from Google PageSpeed < 4.0.7 - Multiple CSRF"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Insights from Google PageSpeed", "version": {"version_data": [{"version_affected": "<", "version_name": "4.0.7", "version_value": "4.0.7"}]}}]}, "vendor_name": "Unknown"}]}}, "credit": [{"lang": "eng", "value": "Daniel Ruf"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Insights from Google PageSpeed WordPress plugin before 4.0.7 does not verify for CSRF before doing various actions such as deleting Custom URLs, which could allow attackers to make a logged in admin perform such actions via CSRF attacks"}]}, "generator": "WPScan CVE Generator", "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}]}, "references": {"reference_data": [{"name": "https://wpscan.com/vulnerability/5c5955d7-24f0-45e6-9c27-78ef50446dad", "refsource": "MISC", "url": "https://wpscan.com/vulnerability/5c5955d7-24f0-45e6-9c27-78ef50446dad"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:10:03.792Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wpscan.com/vulnerability/5c5955d7-24f0-45e6-9c27-78ef50446dad"}]}]}, "cveMetadata": {"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2022-1672", "datePublished": "2022-07-17T10:35:33", "dateReserved": "2022-05-11T00:00:00", "dateUpdated": "2024-08-03T00:10:03.792Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:insights_from_google_pagespeed_project:insights_from_google_pagespeed:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "6CB26E9C-EE35-473B-940A-76E1CF7C5856", "versionEndExcluding": "4.0.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Insights from Google PageSpeed WordPress plugin before 4.0.7 does not verify for CSRF before doing various actions such as deleting Custom URLs, which could allow attackers to make a logged in admin perform such actions via CSRF attacks"}, {"lang": "es", "value": "El plugin Insights from Google PageSpeed de WordPress versiones anteriores a 4.0.7, no verifica la presencia de tipo CSRF antes de realizar varias acciones como la eliminaci\u00f3n de URLs personalizadas, lo que podr\u00eda permitir a atacantes hacer que un administrador conectado lleve a cabo dichas acciones por medio de ataques CSRF"}], "id": "CVE-2022-1672", "lastModified": "2022-07-18T12:10:22.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-17T11:15:08.450", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/5c5955d7-24f0-45e6-9c27-78ef50446dad"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "contact@wpscan.com", "type": "Primary"}]}