CVE-2022-3880 in Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan Plugin
Summary
by MITRE • 12/12/2022
The Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan WordPress plugin before 4.20 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/23/2025
The CVE-2022-3880 vulnerability affects the Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan WordPress plugin version 4.20 and earlier. This security flaw resides in the plugin's handling of AJAX actions, specifically in the lack of proper authorization checks and cross-site request forgery protections. The vulnerability allows any authenticated user account, regardless of role level, to exploit this weakness and execute arbitrary plugin installation and activation commands from the official WordPress.org repository. The flaw represents a critical privilege escalation vulnerability that undermines the fundamental security model of WordPress plugin management systems.
The technical implementation of this vulnerability stems from inadequate input validation and access control mechanisms within the plugin's AJAX handler. When authenticated users access specific endpoints designed for administrative functions, the plugin fails to verify whether the requesting user possesses sufficient privileges to perform plugin management operations. This absence of proper authorization checks creates an exploitable path where even low-privilege users such as subscribers can trigger the installation and activation of arbitrary plugins. The vulnerability manifests through the plugin's failure to implement CSRF tokens or session validation, making it susceptible to exploitation via maliciously crafted requests that leverage the authenticated user's session.
The operational impact of this vulnerability extends beyond simple privilege escalation, creating a significant attack surface for malicious actors who can leverage compromised user accounts to gain deeper system control. An attacker with access to any authenticated user account can use this vulnerability to install potentially malicious plugins from the WordPress.org repository, effectively compromising the entire WordPress installation. This weakness enables attackers to deploy backdoors, malware, or other harmful plugins that can persist across system restarts and potentially provide ongoing access to the compromised environment. The vulnerability essentially transforms any authenticated user account into a potential vector for unauthorized plugin deployment, undermining the security boundaries typically maintained by WordPress user role permissions.
Mitigation strategies for CVE-2022-3880 require immediate action to upgrade the affected plugin to version 4.20 or later, where proper authorization and CSRF protections have been implemented. System administrators should also implement additional security measures including regular plugin auditing, monitoring for unauthorized plugin installations, and enforcing strict user role permissions. The vulnerability aligns with CWE-863 (Insufficient Authorization) and represents a clear violation of the principle of least privilege in security design. From an ATT&CK framework perspective, this vulnerability maps to T1547.009 (AppInit DLLs) and T1059.001 (Command and Scripting Interpreter) as attackers can leverage this weakness to establish persistent access through malicious plugin installation and execution. Organizations should also consider implementing web application firewalls and intrusion detection systems to monitor for exploitation attempts targeting this specific vulnerability pattern.