CVE-2022-4021 HIGH

CVE-2022-4021: Permalink Manager Lite <= 2.2.20.1 - Cross-Site Request Forgery

Vendor Mbis
Product Permalink Manager Lite
Weakness CWE-352 · CSRF
Published November 16, 2022
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Permalink Manager Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.2.20.1. This is due to missing or incorrect nonce validation on the extra_actions function. This makes it possible for unauthenticated attackers to change plugin settings including permalinks and site maps, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Key dates

02Disclosure timeline

November 16, 2022 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-12452 Visit Counter 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting CVE-2024-7568 Favicon Generator <= 1.5 - Cross-Site Request Forgery to Arbitrary File Deletion CVE-2025-58856 WordPress Woocommerce Notify Updated Product Plugin <= 1.6 - Cross Site Request Forgery (CSRF) Vulnerability CVE-2025-32272 WordPress Wishlist plugin <= 1.0.46 - Cross Site Request Forgery (CSRF) vulnerability CVE-2023-7273 Cross Site Request Forgery in Kiteworks OwnCloud