CVE-2022-1589 in Change wp-admin Login Plugin
Summary
by MITRE • 05/30/2022
The Change wp-admin login WordPress plugin before 1.1.0 does not properly check for authorisation and is also missing CSRF check when updating its settings, which could allow unauthenticated users to change the settings. The attacked could also be performed via a CSRF vector
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/14/2026
The vulnerability identified as CVE-2022-1589 affects the Change wp-admin login WordPress plugin version 1.1.0 and earlier, representing a critical security flaw that undermines the authentication mechanisms of WordPress sites. This issue stems from inadequate authorization checks and the complete absence of Cross-Site Request Forgery protection during settings updates, creating a significant attack surface that allows unauthorized individuals to manipulate critical plugin configurations without proper credentials.
The technical flaw manifests through two primary weaknesses that compound to create a severe security risk. First, the plugin fails to implement proper authorization verification when processing administrative requests, meaning that any user regardless of their authentication status can submit requests to modify plugin settings. Second, the absence of CSRF protection creates an additional vector where attackers can craft malicious requests that trick authenticated users into performing unintended actions. This dual failure creates a scenario where unauthenticated attackers can directly manipulate plugin configurations, while authenticated users can be exploited through CSRF attacks to make unauthorized changes.
The operational impact of this vulnerability extends far beyond simple configuration changes, as it fundamentally compromises the security posture of WordPress installations. An attacker exploiting this vulnerability could potentially redirect wp-admin login pages to malicious locations, alter login credentials, disable security features, or modify access controls within the plugin's scope. The consequences range from complete administrative takeover to the establishment of persistent backdoors, depending on how the attacker chooses to leverage the compromised plugin settings. This vulnerability directly violates the principle of least privilege and authorization enforcement, creating a pathway for privilege escalation and unauthorized access to sensitive administrative functions.
The vulnerability maps directly to CWE-863, which addresses "Incorrect Authorization" in software systems, and aligns with ATT&CK technique T1078.004, "Valid Accounts: Cloud Accounts," as it allows attackers to gain unauthorized access to administrative functions through manipulated plugin settings. Additionally, this issue corresponds to ATT&CK technique T1566.001, "Phishing: Spearphishing Attachment," when considering how CSRF attacks might be delivered through malicious email campaigns. The lack of CSRF protection specifically relates to CWE-352, "Cross-Site Request Forgery (CSRF)," which represents a well-established class of vulnerabilities that have been extensively documented in industry security frameworks and standards.
Mitigation strategies for this vulnerability must address both the authorization and CSRF protection deficiencies. Immediate remediation requires updating to plugin version 1.1.0 or later, which includes proper authorization checks and CSRF protection mechanisms. Organizations should also implement additional security measures such as monitoring for unauthorized plugin configuration changes, implementing web application firewalls to detect suspicious requests, and conducting regular security audits of installed plugins. Network-level protections can include restricting access to wp-admin directories and implementing strict access controls that limit who can modify plugin settings. The remediation process should also involve verifying that all plugin installations have been updated and that proper security configurations are maintained to prevent similar vulnerabilities from emerging in the future.