cbcvebase.
CVE-2022-4305
published 2023-01-23

CVE-2022-4305: The Login as User or Customer WordPress plugin before 3.3 lacks authorization checks to ensure that users are allowed to log in as another one, which could…

PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
38.63%
98.4th percentile
The Login as User or Customer WordPress plugin before 3.3 lacks authorization checks to ensure that users are allowed to log in as another one, which could allow unauthenticated attackers to obtain a valid admin session.

Affected

1 ranges
VendorProductVersion rangeFixed in
wp-buylogin_as_user_or_customer< 3.33.3

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php?action=loginas_return_admin
cookieloginas_old_user_id=1
path/wp-content/plugins/login-as-customer-or-user
  • Detect exploitation attempts by monitoring for unauthenticated GET requests to /wp-admin/admin-ajax.php with action=loginas_return_admin combined with the Cookie header loginas_old_user_id=1
  • Confirm successful privilege escalation by checking if the subsequent GET /wp-admin/users.php returns HTTP 200 with body containing 'Edit Profile' and 'All Posts', indicating an active admin session was obtained
  • Fingerprint vulnerable WordPress installations by searching for the plugin path /wp-content/plugins/login-as-customer-or-user in HTTP response bodies
  • ·The exploit uses a hardcoded user ID of 1 in the cookie (loginas_old_user_id=1), which targets the default WordPress admin account; attackers may vary this value to target other privileged accounts
  • ·The vulnerability affects Login as User or Customer plugin versions before 3.3; version 3.3 contains the fix and should be used as the remediation threshold in detection rules
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.