CVE-2022-0952
published 2022-05-02CVE-2022-0952: The Sitemap by click5 WordPress plugin before 1.0.36 does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure…
PriorityP181high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
13.33%
95.9th percentile
The Sitemap by click5 WordPress plugin before 1.0.36 does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. As a result, unauthenticated attackers could change arbitrary blog options, such as the users_can_register and default_role, allowing them to create a new admin account and take over the blog.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sitemap_project | sitemap | < 1.0.36 | 1.0.36 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated POST requests to /wp-json/click5_sitemap/API/update_html_option_AJAX with JSON bodies setting users_can_register=1 and default_role=administrator — the two-step sequence is the canonical admin account takeover pattern for this CVE. ↗
- ·The exploit requires no authentication and no CSRF token; any unauthenticated HTTP client can trigger it, so network-layer controls (e.g., WAF rules requiring auth headers) are the primary mitigation until patching. ↗
- ·The vulnerable endpoint does not restrict which WordPress option can be updated, meaning attackers are not limited to users_can_register/default_role — any arbitrary blog option can be modified via the same endpoint. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r487-g863-pm8x: The Sitemap by click5 WordPress plugin before 1
ghsa_unreviewed·2022-05-03
CVE-2022-0952 [HIGH] CWE-352 GHSA-r487-g863-pm8x: The Sitemap by click5 WordPress plugin before 1
The Sitemap by click5 WordPress plugin before 1.0.36 does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. As a result, unauthenticated attackers could change arbitrary blog options, such as the users_can_register and default_role, allowing them to create a new admin account and take over the blog.
VulnCheck
sitemap_project sitemap Cross-Site Request Forgery (CSRF)
vulncheck·2022·CVSS 8.8
CVE-2022-0952 [HIGH] sitemap_project sitemap Cross-Site Request Forgery (CSRF)
sitemap_project sitemap Cross-Site Request Forgery (CSRF)
The Sitemap by click5 WordPress plugin before 1.0.36 does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. As a result, unauthenticated attackers could change arbitrary blog options, such as the users_can_register and default_role, allowing them to create a new admin account and take over the blog.
Affected: sitemap_project sitemap
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-02&host_type=src&vulnerability=
No detection rules found.
Nuclei
WordPress Sitemap by click5 <1.0.36 - Missing Authorization
nuclei·CVSS 8.8
CVE-2022-0952 [HIGH] WordPress Sitemap by click5 <1.0.36 - Missing Authorization
WordPress Sitemap by click5 <1.0.36 - Missing Authorization
WordPress Sitemap by click5 plugin before 1.0.36 is susceptible to missing authorization. The plugin does not have authorization or CSRF checks when updating options via a REST endpoint and does not ensure that the option to be updated belongs to the plugin. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Template:
id: CVE-2022-0952
info:
name: WordPress Sitemap by click5 <1.0.36 - Missing Authorization
author: random-robbie
severity: high
description: |
WordPress Sitemap by click5 plugin before 1.0.36 is susceptible to missing authorization. The plugin does not have authorization or CSRF checks when updating options
2022-05-02
Published
Exploited in the wild