CVE-2022-2355 - Vulnerability Details - OpenCVE

The Easy Username Updater WordPress plugin before 1.0.5 does not implement CSRF checks, which could allow attackers to make a logged in admin change any user's username includes the admin

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0012.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Easy Username Updater Project	Easy Username Updater

Configuration 1 [-]

cpe:2.3:a:easy_username_updater_project:easy_username_updater:*:*:*:*:*:wordpress:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-34623	The Easy Username Updater WordPress plugin before 1.0.5 does not implement CSRF checks, which could allow attackers to make a logged in admin change any user's username includes the admin

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://wpscan.com/vulnerability/426b5a0f-c16d-429a-9396-b3aea7922826

History

Wed, 27 Aug 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2022-08-08T13:46:33.000Z

Updated: 2025-08-27T18:39:38.353Z

Reserved: 2022-07-08T00:00:00.000Z

Link: CVE-2022-2355

Vulnrichment

Updated: 2024-08-03T00:32:09.598Z

NVD

Status : Analyzed

Published: 2022-08-08T14:15:08.750

Modified: 2025-09-24T19:42:00.513

Link: CVE-2022-2355

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Easy Username Updater", "vendor": "Unknown", "versions": [{"lessThan": "1.0.5", "status": "affected", "version": "1.0.5", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Raad Haddad"}], "descriptions": [{"lang": "en", "value": "The Easy Username Updater WordPress plugin before 1.0.5 does not implement CSRF checks, which could allow attackers to make a logged in admin change any user's username includes the admin"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-08T13:46:33.000Z", "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wpscan.com/vulnerability/426b5a0f-c16d-429a-9396-b3aea7922826"}], "source": {"discovery": "EXTERNAL"}, "title": "Easy Username Updater < 1.0.5 - Arbitrary Username Update via CSRF", "x_generator": "WPScan CVE Generator", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "contact@wpscan.com", "ID": "CVE-2022-2355", "STATE": "PUBLIC", "TITLE": "Easy Username Updater < 1.0.5 - Arbitrary Username Update via CSRF"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Easy Username Updater", "version": {"version_data": [{"version_affected": "<", "version_name": "1.0.5", "version_value": "1.0.5"}]}}]}, "vendor_name": "Unknown"}]}}, "credit": [{"lang": "eng", "value": "Raad Haddad"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Easy Username Updater WordPress plugin before 1.0.5 does not implement CSRF checks, which could allow attackers to make a logged in admin change any user's username includes the admin"}]}, "generator": "WPScan CVE Generator", "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}]}, "references": {"reference_data": [{"name": "https://wpscan.com/vulnerability/426b5a0f-c16d-429a-9396-b3aea7922826", "refsource": "MISC", "url": "https://wpscan.com/vulnerability/426b5a0f-c16d-429a-9396-b3aea7922826"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:32:09.598Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wpscan.com/vulnerability/426b5a0f-c16d-429a-9396-b3aea7922826"}]}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-08-27T18:39:18.631103Z", "id": "CVE-2022-2355", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-27T18:39:38.353Z"}}]}, "cveMetadata": {"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2022-2355", "datePublished": "2022-08-08T13:46:33.000Z", "dateReserved": "2022-07-08T00:00:00.000Z", "dateUpdated": "2025-08-27T18:39:38.353Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://wpscan.com/vulnerability/426b5a0f-c16d-429a-9396-b3aea7922826", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:32:09.598Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-2355", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-27T18:39:18.631103Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-27T18:07:56.525Z"}}], "cna": {"title": "Easy Username Updater < 1.0.5 - Arbitrary Username Update via CSRF", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "value": "Raad Haddad"}], "affected": [{"vendor": "Unknown", "product": "Easy Username Updater", "versions": [{"status": "affected", "version": "1.0.5", "lessThan": "1.0.5", "versionType": "custom"}]}], "references": [{"url": "https://wpscan.com/vulnerability/426b5a0f-c16d-429a-9396-b3aea7922826", "tags": ["x_refsource_MISC"]}], "x_generator": "WPScan CVE Generator", "descriptions": [{"lang": "en", "value": "The Easy Username Updater WordPress plugin before 1.0.5 does not implement CSRF checks, which could allow attackers to make a logged in admin change any user's username includes the admin"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2022-08-08T13:46:33.000Z"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "Raad Haddad"}], "source": {"discovery": "EXTERNAL"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_name": "1.0.5", "version_value": "1.0.5", "version_affected": "<"}]}, "product_name": "Easy Username Updater"}]}, "vendor_name": "Unknown"}]}}, "data_type": "CVE", "generator": "WPScan CVE Generator", "references": {"reference_data": [{"url": "https://wpscan.com/vulnerability/426b5a0f-c16d-429a-9396-b3aea7922826", "name": "https://wpscan.com/vulnerability/426b5a0f-c16d-429a-9396-b3aea7922826", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "The Easy Username Updater WordPress plugin before 1.0.5 does not implement CSRF checks, which could allow attackers to make a logged in admin change any user's username includes the admin"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-2355", "STATE": "PUBLIC", "TITLE": "Easy Username Updater < 1.0.5 - Arbitrary Username Update via CSRF", "ASSIGNER": "contact@wpscan.com"}}}}, "cveMetadata": {"cveId": "CVE-2022-2355", "state": "PUBLISHED", "dateUpdated": "2025-08-27T18:39:38.353Z", "dateReserved": "2022-07-08T00:00:00.000Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2022-08-08T13:46:33.000Z", "assignerShortName": "WPScan"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:easy_username_updater_project:easy_username_updater:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "5FC69342-7929-4420-8970-A8FDBF55CE91", "versionEndExcluding": "1.0.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Easy Username Updater WordPress plugin before 1.0.5 does not implement CSRF checks, which could allow attackers to make a logged in admin change any user's username includes the admin"}, {"lang": "es", "value": "El plugin Easy Username Updater de WordPress versiones anteriores a 1.0.5, no implementa comprobaciones de tipo CSRF, lo que podr\u00eda permitir a atacantes hacer que un administrador conectado cambie el nombre de usuario de cualquier usuario, incluyendo al administrador"}], "id": "CVE-2022-2355", "lastModified": "2025-09-24T19:42:00.513", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2022-08-08T14:15:08.750", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/426b5a0f-c16d-429a-9396-b3aea7922826"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/426b5a0f-c16d-429a-9396-b3aea7922826"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "contact@wpscan.com", "type": "Secondary"}]}