CVE-2022-1749 is a high-severity vulnerability classified as CWE-352 (Cross-Site Request Forgery) affecting the WPMK Ajax Finder WordPress plugin, specifically versions up to and including 1.0.1. The vulnerability arises from the createplugin_atf_admin_setting_page() function located in the ~/inc/config/create-plugin-config.php file, which lacks a proper nonce check. Nonces in WordPress are security tokens used to verify that requests originate from legitimate users and not from malicious third parties. The absence of this nonce validation allows attackers to craft malicious web requests that, when executed by an authenticated administrator or user with sufficient privileges, can inject arbitrary web scripts or perform unauthorized actions on the site. The CVSS v3.1 base score of 8.8 reflects the critical nature of this vulnerability, with an attack vector of network (remote exploitation), low attack complexity, no privileges required, but requiring user interaction (the victim must be tricked into visiting a malicious link or page). The impact metrics indicate high confidentiality, integrity, and availability impacts, meaning an attacker could potentially steal sensitive data, modify site content or configurations, and disrupt site operations. Although no known exploits have been reported in the wild, the vulnerability's characteristics make it a significant risk for WordPress sites using this plugin. Since the plugin is designed to enhance search functionality via Ajax, it is likely installed on a variety of WordPress sites, increasing the potential attack surface. The lack of a patch or official fix at the time of reporting further elevates the risk.

For European organizations, this vulnerability poses a substantial risk, especially for those relying on WordPress sites with the WPMK Ajax Finder plugin installed. Successful exploitation could lead to unauthorized administrative actions, data theft, defacement, or service disruption. This can result in reputational damage, loss of customer trust, and potential regulatory penalties under GDPR if personal data is compromised. The high integrity and availability impacts mean that attackers could alter website content or configurations, potentially injecting malicious code that could spread malware to visitors or redirect users to phishing sites. Additionally, disruption of website services could affect business operations, particularly for e-commerce or customer-facing portals. Given the widespread use of WordPress in Europe for both commercial and governmental websites, the vulnerability could be leveraged in targeted attacks against organizations with valuable data or high-profile web presence. The requirement for user interaction (an authenticated user visiting a malicious link) means social engineering could be used to facilitate exploitation, increasing the threat vector.

Organizations should immediately audit their WordPress installations to identify the presence of the WPMK Ajax Finder plugin, particularly versions up to 1.0.1. If found, the plugin should be disabled or removed until an official patch is released. In the absence of a vendor patch, site administrators can implement manual nonce checks in the createplugin_atf_admin_setting_page() function to validate requests properly. Additionally, organizations should enforce strict user access controls, limiting administrative privileges to trusted personnel only and educating users about the risks of clicking on suspicious links. Employing Web Application Firewalls (WAFs) with rules to detect and block CSRF attack patterns targeting this plugin can provide a temporary protective layer. Regular monitoring of web server logs for unusual POST requests to the affected plugin endpoints can help detect attempted exploitation. Finally, maintaining up-to-date backups and having an incident response plan will aid in rapid recovery if exploitation occurs.