CVE-2022-1589

Published: May 30, 2022Modified: Jan 14, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

The Change wp-admin login WordPress plugin before 1.1.0 does not properly check for authorisation and is also missing CSRF check when updating its settings, which could allow unauthenticated users to change the settings. The attacked could also be performed via a CSRF vector

Affected (1)

Products: Wpexperts: All In One Login

1 product

All In One Login

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Wpexperts All In One Login	Before 1.1.0

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (2)

https://wpscan.com/vulnerability/257f9e14-4f43-4852-8384-80c15d087633

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/257f9e14-4f43-4852-8384-80c15d087633

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.