CVE-2022-23513

MEDIUM

Pi-hole AdminLTE < 5.17 - Unauthenticated Improper Access Control in queryads Endpoint

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-23513. PoCs published by kv1to.

AI-analyzed exploit summary This exploit demonstrates a broken access control vulnerability in Pi-hole's AdminLTE interface, allowing unauthorized queries to the queryads.php endpoint to retrieve blocked domain information without proper authentication.

Description

Pi-Hole is a network-wide ad blocking via your own Linux hardware, AdminLTE is a Pi-hole Dashboard for stats and more. In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on `queryads` endpoint. In the case of application, this vulnerability exists because of a lack of validation in code on a root server path: `/admin/scripts/pi-hole/phpqueryads.php.` Potential threat actor(s) are able to perform an unauthorized query search in blocked domain lists. This could lead to the disclosure for any victims' personal blacklists.

Exploits (1)

exploitdb WORKING POC

by kv1to · textwebappsphp

https://www.exploit-db.com/exploits/51705

View Code ZIP pw:eip

This exploit demonstrates a broken access control vulnerability in Pi-hole's AdminLTE interface, allowing unauthorized queries to the queryads.php endpoint to retrieve blocked domain information without proper authentication.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Pi-hole AdminLTE v5.14.2, FTL v5.19.2, Web Interface v5.17

No auth needed

Prerequisites: Network access to the Pi-hole admin interface

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory x_refsource_confirm

https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-6qh8-6rrj-7497

Release Notes, Third Party Advisory x_refsource_misc

https://github.com/pi-hole/AdminLTE/releases/tag/v5.18

Exploit

http://packetstormsecurity.com/files/174460/AdminLTE-PiHole-Broken-Access-Control.html

Scores

CVSS v3 5.3

EPSS 0.1392

EPSS Percentile 94.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-284

Status published

Products (1)

pi-hole/adminlte < 5.17

Published Dec 23, 2022

Tracked Since Feb 18, 2026