CVE-2022-1749

Name of the Vulnerable Software and Affected Versions WPMK Ajax Finder WordPress plugin versions up to and including 1.0.1

Description The issue is related to Cross-Site Request Forgery, which occurs due to a missing nonce check in the createplugin atf admin setting page() function found in the ~/inc/config/create-plugin-config.php file. This allows attackers to inject arbitrary web scripts.

Recommendations For versions up to and including 1.0.1, consider disabling the createplugin atf admin setting page() function until a patch is available to prevent exploitation. Restrict access to the ~/inc/config/create-plugin-config.php file to minimize the risk of arbitrary web script injection. At the moment, there is no information about a newer version that contains a fix for this vulnerability.