CVE-2022-1749 HIGH

CVE-2022-1749: WPMK Ajax Finder <= 1.0.1 - Cross-Site Request Forgery to Cross-Site Scripting

Vendor Createplugin
Product WPMK Ajax Finder
Weakness CWE-352 · CSRF
Published June 13, 2022
Last update April 8, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The WPMK Ajax Finder WordPress plugin is vulnerable to Cross-Site Request Forgery via the createplugin_atf_admin_setting_page() function found in the ~/inc/config/create-plugin-config.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.1.

Key dates

02Disclosure timeline

June 13, 2022 CVE published
April 8, 2026 Record updated