CVE-2022-1203

MEDIUM

Content Mask < 1.8.4.1 - Authenticated Arbitrary Option Update via Missing Authorization

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-1203. PoCs published by RandomRobbieBF.

AI-analyzed exploit summary This PoC exploits CVE-2022-1203 in the Content Mask WordPress plugin (<1.8.4) by allowing authenticated users (e.g., subscribers) to update arbitrary blog options via unauthenticated AJAX actions, enabling privilege escalation by setting 'users_can_register' and 'default_role' to 'administrator'.

Description

The Content Mask WordPress plugin before 1.8.4.1 does not have authorisation and CSRF checks in various AJAX actions, as well as does not validate the option to be updated to ensure it belongs to the plugin. As a result, any authenticated user, such as subscriber could modify arbitrary blog options

Exploits (1)

nomisec WORKING POC

by RandomRobbieBF · poc

https://github.com/RandomRobbieBF/CVE-2022-1203

View Code ZIP pw:eip

This PoC exploits CVE-2022-1203 in the Content Mask WordPress plugin (<1.8.4) by allowing authenticated users (e.g., subscribers) to update arbitrary blog options via unauthenticated AJAX actions, enabling privilege escalation by setting 'users_can_register' and 'default_role' to 'administrator'.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Content Mask WordPress plugin < 1.8.4

Auth required

Prerequisites: Valid WordPress credentials (subscriber or higher) · Content Mask plugin version < 1.8.4 installed

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory exploit vdb-entry technical-description

https://wpscan.com/vulnerability/3c9969e5-ca8e-4e5d-a482-c6b5c4257820

Scores

CVSS v3 4.3

EPSS 0.0105

EPSS Percentile 59.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Details

CWE

CWE-352 CWE-862

Status published

Products (1)

content_mask_project/content_mask < 1.8.4.1

Published May 30, 2022

Tracked Since Feb 18, 2026