CVE-2022-2435 in AnyMind Widget Plugininfo

Summary

by MITRE • 07/18/2022

The AnyMind Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.1. This is due to missing nonce protection on the createDOMStructure() function found in the ~/anymind-widget-id.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site’s administrator into performing an action such as clicking on a link.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 04/08/2026

The AnyMind Widget plugin for WordPress presents a critical cross-site request forgery vulnerability that affects versions up to and including 1.1. This vulnerability stems from inadequate security controls within the plugin's core functionality, specifically in the createDOMStructure() function located in the anymind-widget-id.php file. The absence of proper nonce validation creates a significant security gap that allows malicious actors to exploit the plugin's administrative interfaces without authentication. The vulnerability operates under the principle that attackers can manipulate legitimate user sessions to execute unauthorized actions, leveraging the trust relationship between the user and the web application.

The technical flaw manifests as a missing nonce protection mechanism that should validate the authenticity of requests made to the plugin's administrative functions. Nonces serve as cryptographic tokens that ensure requests originate from legitimate sources within the same session context. In this case, the createDOMStructure() function lacks the necessary verification steps that would normally prevent unauthorized modifications to the widget's DOM structure. This omission creates a pathway for attackers to inject malicious web scripts into pages, potentially compromising the integrity of the website and its users' data. The vulnerability directly maps to CWE-352, which specifically addresses Cross-Site Request Forgery weaknesses in web applications.

The operational impact of this vulnerability extends beyond simple script injection, as it provides attackers with the capability to manipulate the widget's behavior and potentially gain access to sensitive administrative functions. When an administrator clicks on a malicious link, the forged request can execute without proper authentication, leading to unauthorized modifications of the widget's configuration or content. This scenario represents a significant risk to website owners, as it can result in data breaches, defacement of web pages, or the installation of malicious payloads that persist across user sessions. The vulnerability is particularly dangerous because it requires minimal user interaction beyond clicking a link, making it an effective vector for social engineering attacks.

The threat landscape for this vulnerability aligns with ATT&CK technique T1566.001, which describes social engineering through spearphishing with links. Attackers can craft malicious URLs that, when clicked by an administrator, trigger the CSRF attack against the WordPress plugin. Mitigation strategies should focus on immediate plugin updates to versions that include proper nonce validation, alongside network monitoring for suspicious requests to the affected plugin endpoints. Additionally, implementing security headers such as Content Security Policy can provide defense-in-depth measures to prevent script injection even if the CSRF vulnerability is exploited. Organizations should also conduct regular security audits of their WordPress plugins to identify similar vulnerabilities that may not have been properly addressed through standard update procedures.

Responsible

Wordfence

Reservation

07/15/2022

Disclosure

07/18/2022

Moderation

accepted

CPE

ready

EPSS

0.00527

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!