CVE-2022-33198 Scanner
CVE-2022-33198 Scanner - Unauthenticated Settings Update vulnerability in WordPress Accordions Plugin
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
12 days 13 hours
Scan only one
Domain, Subdomain, IPv4
Toolbox
The WordPress Accordions plugin is a widely used tool for website owners looking to create collapsible sections on their websites. Often utilized for FAQs or organized content display, it is popular among bloggers, companies, and those maintaining WordPress sites that prioritize content presentation. As a WordPress plugin developed by Biplob Adhikari, it's commonly integrated into sites running the WordPress framework. Users benefit from dynamic content display options, enhancing user interaction. As a result, the plugin contributes to improved site aesthetics and user experience.
The vulnerability in question allows for the unauthorized manipulation of settings within the WordPress Accordions plugin. Exploiting this vulnerability, attackers can change the plugin options without authentication, thereby exposing sites to significant risk. The critical nature of this flaw stems from issues in authentication checks, allowing malicious actors the potential to interfere with site configurations. The vulnerability particularly affects versions up to and including 2.0.2 of the plugin. Given the nature of this flaw, sites running this plugin version are urged to address the issue promptly.
Technically, this vulnerability involves improper authorization within the plugin, specifically at the endpoint '/wp-json/oxiaccordionsultimate/v1/oxi_settings'. Attackers utilize this endpoint to alter settings by crafting specific payloads. Typically, the attack is executed through HTTP requests containing manipulated data, exploiting gaps in the plugin's access control. The parameter 'rawdata' within these requests becomes a key vector for attackers, enabling them to inject new settings values. The lack of sufficient input validation and authentication checks makes this endpoint particularly susceptible to such manipulations.
The exploitation of this vulnerability could lead to various adverse effects, including site defacement, disruption of functionality, or even further exploitation of the site. Attackers can alter critical settings, which may result in unexpected behavior or exposed sensitive information. Furthermore, they can potentially extend their control over the site, leading to a compromised infrastructure. In severe cases, this can lead to loss of trust among users and stakeholders owing to the extent of the breach.
REFERENCES
- https://vdp.patchstack.com/database/wordpress/plugin/accordions-or-faqs/vulnerability/wordpress-accordions-plugin-2-0-2-unauthenticated-wordpress-options-change-vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2022-33198
- https://patchstack.com/database/vulnerability/accordions-or-faqs/wordpress-accordions-plugin-2-0-2-unauthenticated-wordpress-options-change-vulnerability
- https://wordpress.org/plugins/accordions-or-faqs/#developers
