Skip to main content

CVE-2022-1760: CWE-352 Cross-Site Request Forgery (CSRF) in Unknown Core Control

Medium
VulnerabilityCVE-2022-1760cvecve-2022-1760cwe-352
Published: Tue Jan 16 2024 (01/16/2024, 15:52:21 UTC)
Source: CVE Database V5
Vendor/Project: Unknown
Product: Core Control

Description

The Core Control WordPress plugin through 1.2.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

AI-Powered Analysis

AILast updated: 07/03/2025, 16:28:25 UTC

Technical Analysis

CVE-2022-1760 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the Core Control WordPress plugin, affecting versions up to and including 1.2.1. The vulnerability arises because the plugin lacks proper CSRF protections when updating its settings. Specifically, there is no mechanism to verify that requests to change configuration settings originate from an authenticated and authorized user action within the WordPress admin interface. An attacker can exploit this by tricking a logged-in WordPress administrator into visiting a maliciously crafted web page, which then sends unauthorized requests to the vulnerable plugin to alter its settings without the administrator's consent. This attack does not require the attacker to have any privileges or authentication themselves, but it does require the victim to be logged in with administrative rights and to interact with the attacker's crafted content (e.g., visiting a malicious website). The vulnerability impacts the integrity of the system by allowing unauthorized changes to plugin settings, which could lead to further compromise depending on what settings are altered. The CVSS 3.1 base score is 4.3 (medium severity), reflecting that the attack vector is network-based, requires user interaction, and results in integrity impact without affecting confidentiality or availability. No known exploits are currently reported in the wild, and no patches or updates have been linked in the provided data. The vulnerability is classified under CWE-352, which covers CSRF issues where state-changing requests lack anti-CSRF tokens or equivalent protections. Given that Core Control is a WordPress plugin, the threat surface includes any WordPress site using this plugin version, particularly those with administrative users who might be targeted via social engineering or malicious content delivery.

Potential Impact

For European organizations, this vulnerability poses a risk primarily to the integrity of WordPress-based websites that utilize the Core Control plugin. Unauthorized changes to plugin settings could lead to misconfigurations that weaken site security, potentially enabling further attacks such as privilege escalation, data manipulation, or deployment of malicious code. Organizations relying on WordPress for public-facing websites, intranets, or e-commerce platforms could face reputational damage, loss of customer trust, and compliance issues under regulations like GDPR if site integrity is compromised. While the vulnerability does not directly expose confidential data or cause denial of service, the indirect consequences of unauthorized configuration changes could be significant, especially if attackers leverage these changes to implant backdoors or redirect users to malicious sites. The requirement for an administrator to be logged in and interact with malicious content somewhat limits the attack scope but does not eliminate the risk, as phishing and social engineering remain effective attack vectors. European organizations with high web presence or those in sectors with targeted cyber threats (e.g., finance, government, healthcare) should be particularly vigilant.

Mitigation Recommendations

To mitigate this vulnerability, European organizations should first verify if their WordPress installations use the Core Control plugin and identify the affected versions (up to 1.2.1). Immediate steps include: 1) Restrict administrative access to trusted personnel and enforce strong authentication methods such as multi-factor authentication (MFA) to reduce the risk of compromised admin accounts. 2) Educate administrators about phishing and social engineering tactics to prevent inadvertent interaction with malicious content. 3) Monitor and audit plugin settings regularly for unauthorized changes. 4) If available, update the Core Control plugin to a version that includes CSRF protections; if no patch exists, consider temporarily disabling the plugin or replacing it with alternative solutions until a fix is released. 5) Implement Web Application Firewalls (WAFs) with rules to detect and block suspicious CSRF attempts targeting the plugin endpoints. 6) Employ Content Security Policy (CSP) headers and other browser security features to limit the impact of malicious external content. 7) Review and harden WordPress security configurations overall, including limiting plugin installations and keeping all components updated.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
WPScan
Date Reserved
2022-05-17T11:40:13.940Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 683dc31f182aa0cae24a04d9

Added to database: 6/2/2025, 3:28:31 PM

Last enriched: 7/3/2025, 4:28:25 PM

Last updated: 8/14/2025, 10:01:49 AM

Views: 11

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats