CVE-2022-4552 in FL3R FeelBox Plugin
Summary
by MITRE • 01/30/2023
The FL3R FeelBox WordPress plugin through 8.1 does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/27/2025
The FL3R FeelBox WordPress plugin version 8.1 and earlier contains a critical security vulnerability that combines multiple dangerous flaws in a single attack vector. This vulnerability exists due to the absence of Cross-Site Request Forgery protection mechanisms within the plugin's administrative settings update functionality. The flaw allows authenticated attackers with administrator privileges to execute stored cross-site scripting attacks through a carefully crafted CSRF payload, creating a severe security risk for WordPress installations using this plugin.
The technical implementation of this vulnerability stems from the plugin's failure to implement proper CSRF protection measures during administrative setting updates. According to CWE-352, this represents a classic cross-site request forgery vulnerability where the application does not validate that requests originate from legitimate administrative sessions. Additionally, the vulnerability manifests as a combination of CWE-116 and CWE-79, indicating both insufficient input sanitization and inadequate output escaping mechanisms. The plugin fails to properly validate or sanitize user-supplied data before storing it in the database, while simultaneously not escaping output that could be rendered in web pages, creating conditions for persistent XSS attacks.
The operational impact of this vulnerability is particularly severe for WordPress administrators who may be tricked into visiting malicious websites or clicking on compromised links while authenticated to their WordPress site. When an administrator performs actions such as updating plugin settings, they unknowingly submit malicious payloads that get stored in the database and executed whenever the affected pages are rendered. This creates a persistent threat that can affect all users who view the compromised content, potentially leading to credential theft, session hijacking, or further compromise of the WordPress installation. The vulnerability affects the entire administrative interface of the plugin, making it a high-value target for attackers seeking to gain persistent access to WordPress sites.
Mitigation strategies should focus on immediate remediation through plugin updates to version 8.2 or later, which presumably addresses these CSRF and XSS vulnerabilities. Organizations should also implement additional defensive measures including regular security auditing of WordPress plugins, monitoring for unauthorized administrative activities, and ensuring that all WordPress installations maintain current versions of core software and plugins. Network-based protections such as web application firewalls can provide additional layers of defense, while security awareness training for administrators can help prevent social engineering attacks that exploit this vulnerability. The ATT&CK framework categorizes this as a privilege escalation technique through web application vulnerabilities, specifically mapping to T1078.004 for valid accounts and T1546.001 for registry run keys, though the primary vector remains the exploitation of the CSRF/XSS combination.