CVE-2022-1589
HIGHAll in One Login < 1.1.0 - Unauthenticated Cross-Site Request Forgery
Title source: llmDescription
The Change wp-admin login WordPress plugin before 1.1.0 does not properly check for authorisation and is also missing CSRF check when updating its settings, which could allow unauthenticated users to change the settings. The attacked could also be performed via a CSRF vector
References (1)
Core 1
Core References
Exploit, Third Party Advisory exploit
vdb-entry
technical-description
https://wpscan.com/vulnerability/257f9e14-4f43-4852-8384-80c15d087633
Scores
CVSS v3
7.5
EPSS
0.0058
EPSS Percentile
43.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-352
CWE-863
Status
published
Products (1)
wpexperts/all_in_one_login
< 1.1.0
Published
May 30, 2022
Tracked Since
Feb 18, 2026