cbcvebase.
CVE-2022-34487
published 2022-07-21

CVE-2022-34487: Unauthenticated Arbitrary Option Update vulnerability in biplob018's Shortcode Addons plugin <= 3.0.2 at WordPress.

PriorityP279medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.65%
83.8th percentile
Unauthenticated Arbitrary Option Update vulnerability in biplob018's Shortcode Addons plugin <= 3.0.2 at WordPress.

Affected

2 ranges
VendorProductVersion rangeFixed in
biplob018shortcode_addons<= 3.0.2
oxilabshortcode_addons< 3.0.33.0.3

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/ShortCodeAddonsUltimate/v2/addons_settings
otherrawdata=%7B%22name%22%3A%22blogname%22%2C%22value%22%3A%22{{rand}}%22%7D
otheroxi-confirmation-success
  • Detect unauthenticated POST requests to the vulnerable REST API endpoint /wp-json/ShortCodeAddonsUltimate/v2/addons_settings with a rawdata body parameter containing JSON option name/value pairs.
  • A successful exploitation response contains the string 'oxi-confirmation-success' in the HTTP response body with a 200 status code.
  • The exploit payload encodes JSON as URL-encoded rawdata, targeting the 'blogname' WordPress option to confirm arbitrary option write capability: rawdata={"name":"blogname","value":"<attacker_value>"}
  • Two-step exploitation: first POST to the REST endpoint to overwrite an option, then GET / to verify the modified value appears in the homepage body alongside '/wp-' strings.
  • Content-Type header used in the exploit request is application/x-www-form-urlencoded; monitor for unauthenticated requests with this content type to the ShortCodeAddons REST namespace.
  • ·The vulnerability affects Shortcode Addons plugin versions <= 3.0.2 only; version 3.0.3 and above contain the fix.
  • ·No authentication is required to exploit this endpoint; the attack is fully unauthenticated (PR:N, UI:N in CVSS), meaning WAF/IDS rules should not assume session tokens will be present in malicious requests.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.