CVE-2022-3880 is a medium-severity vulnerability affecting the WordPress plugin named 'Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan' in versions prior to 4.20. The core issue is an incorrect authorization (CWE-863) combined with a Cross-Site Request Forgery (CSRF) vulnerability (CWE-352) in an AJAX action within the plugin. This flaw allows any authenticated user, including low-privileged roles such as subscribers, to exploit the AJAX endpoint to install and activate arbitrary plugins from the official WordPress.org repository without proper permission checks. The vulnerability arises because the plugin fails to verify that the requesting user has sufficient privileges to perform plugin installation and activation, and it also lacks CSRF protections to prevent unauthorized cross-site requests. The CVSS 3.1 base score is 6.5 (medium), with an attack vector of network (remote), low attack complexity, no privileges required (PR:N), but user interaction is required (UI:R). The impact is primarily on integrity, as an attacker can introduce malicious plugins that could execute arbitrary code or escalate privileges. Availability and confidentiality impacts are not directly indicated. There are no known exploits in the wild, and no patches are linked in the provided data, suggesting that mitigation may rely on plugin updates or manual intervention. The vulnerability was reserved in November 2022 and published in December 2022, with WPScan as the assigner and CISA enrichment indicating recognized importance.

For European organizations using WordPress websites with this vulnerable plugin, the risk is significant because an attacker with any authenticated user account—potentially even a subscriber account—can install and activate arbitrary plugins. This can lead to full site compromise, data integrity breaches, and potential lateral movement within the hosting environment. Given WordPress's widespread use in Europe for corporate, governmental, and e-commerce sites, exploitation could result in defacement, data theft, or the deployment of malware such as ransomware. The integrity of the website and its data is at risk, which could undermine trust and cause reputational damage. Since the vulnerability requires user interaction (an authenticated user), organizations with weak user account management or where subscriber accounts are easily obtained or compromised are at higher risk. The lack of confidentiality and availability impact reduces the risk of direct data leakage or denial of service, but the ability to install arbitrary plugins can indirectly lead to these outcomes if attackers deploy further payloads. The absence of known exploits in the wild reduces immediate threat but does not eliminate the risk, especially as automated scanning tools may identify vulnerable sites.

1. Immediate update of the plugin to version 4.20 or later where the vulnerability is fixed. If an update is not available, consider disabling or removing the plugin until patched. 2. Restrict user roles and permissions rigorously; ensure that only trusted users have authenticated access to the WordPress backend, and minimize the number of subscriber or low-privilege accounts. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious AJAX requests attempting to install or activate plugins via this plugin's endpoints. 4. Monitor WordPress logs for unusual plugin installation or activation activities, especially those initiated by low-privileged users. 5. Employ multi-factor authentication (MFA) for all authenticated users to reduce the risk of account compromise. 6. Regularly audit installed plugins and their versions across WordPress instances to identify vulnerable versions. 7. Harden WordPress installations by disabling plugin installation and activation for non-administrator roles using custom code or security plugins. 8. Educate administrators and users about the risks of granting unnecessary permissions and the importance of applying updates promptly.