CVE-2022-4023

Name of the Vulnerable Software and Affected Versions 3DPrint WordPress plugin versions prior to 3.5.6.9

Description The issue allows an attacker to craft a malicious request, exploiting the lack of protection against CSRF attacks in the modified version of Tiny File Manager. This can trick a logged-in admin into submitting a form that creates an archive of any files or directories on the target server. The created archive has a predictable location and name, allowing the attacker to download the file if they know the time at which the form was submitted. This makes it possible to leak sensitive files, such as the WordPress configuration containing database credentials and secrets.

Recommendations For versions prior to 3.5.6.9, update to version 3.5.6.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the Tiny File Manager module to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved.