CVE-2022-1625

CVE-2022-1625: New User Approve < 2.4 - Arbitrary Settings Update & Invitation Code Creation via CSRF

Vendor Unknown

Product New User Approve

Weakness CWE-352 · CSRF

Published June 27, 2022

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The New User Approve WordPress plugin before 2.4 does not have CSRF check in place when updating its settings and adding invitation codes, which could allow attackers to add invitation codes (for bypassing the provided restrictions) and to change plugin settings by tricking admin users into visiting specially crafted websites.

Key dates

02Disclosure timeline

June 27, 2022 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-1625 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/352.html

Related vulnerabilities

04Related CVE

CVE-2024-51655 WordPress Custom Author URL plugin <= 2.0.1 - CSRF to Stored Cross Site Scripting (XSS) vulnerability CVE-2025-22637 WordPress Print PDF Generator and Publisher plugin <= 1.2.0 - Cross Site Request Forgery (CSRF) vulnerability CVE-2025-48304 WordPress Google XML News Sitemap plugin plugin <= 0.02 - Cross Site Request Forgery (CSRF) to Stored XSS vulnerability CVE-2025-58999 WordPress WP Attractive Donations System - Easy Stripe & Paypal donations plugin <= 1.25 - Cross Site Request Forgery (CSRF) vulnerability CVE-2025-28862 WordPress Comment Date and Gravatar remover plugin <= 1.0 - Cross Site Request Forgery (CSRF) vulnerability