CVE-2022-3880

Name of the Vulnerable Software and Affected Versions Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan WordPress plugin versions prior to 4.20

Description The issue concerns a lack of proper authorization and CSRF protection in an AJAX action within the plugin. This allows any authenticated user, such as a subscriber, to install and activate arbitrary plugins from wordpress.org.

Recommendations For versions prior to 4.20, update to version 4.20 or later to resolve the issue. As a temporary workaround, consider restricting access to the AJAX action or disabling the plugin until a patch is available.