CVE-2022-1732 - Vulnerability Details - OpenCVE

The Rename wp-login.php WordPress plugin through 2.6.0 does not have CSRF check in place when updating the secret login URL, which could allow attackers to make a logged in admin change them via a CSRF attack

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Rename Wp-login Project	Rename Wp-login

Configuration 1 [-]

cpe:2.3:a:rename_wp-login_project:rename_wp-login:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://wpscan.com/vulnerability/3620a087-032e-4a5f-99c8-f9e7e9c29813

History

Sun, 13 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00134}`	epss `{'score': 0.00197}`

Sat, 12 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00116}`	epss `{'score': 0.00134}`

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2022-07-11T12:56:10

Updated: 2024-08-03T00:16:59.695Z

Reserved: 2022-05-16T00:00:00

Link: CVE-2022-1732

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-07-11T13:15:08.650

Modified: 2024-11-21T06:41:20.890

Link: CVE-2022-1732

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Rename wp-login.php", "vendor": "Unknown", "versions": [{"lessThanOrEqual": "2.6.0", "status": "affected", "version": "2.6.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Daniel Ruf"}], "descriptions": [{"lang": "en", "value": "The Rename wp-login.php WordPress plugin through 2.6.0 does not have CSRF check in place when updating the secret login URL, which could allow attackers to make a logged in admin change them via a CSRF attack"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-11T12:56:10", "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wpscan.com/vulnerability/3620a087-032e-4a5f-99c8-f9e7e9c29813"}], "source": {"discovery": "EXTERNAL"}, "title": "Rename wp-login.php <= 2.6.0 - Secret URL Update via CSRF", "x_generator": "WPScan CVE Generator", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "contact@wpscan.com", "ID": "CVE-2022-1732", "STATE": "PUBLIC", "TITLE": "Rename wp-login.php <= 2.6.0 - Secret URL Update via CSRF"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Rename wp-login.php", "version": {"version_data": [{"version_affected": "<=", "version_name": "2.6.0", "version_value": "2.6.0"}]}}]}, "vendor_name": "Unknown"}]}}, "credit": [{"lang": "eng", "value": "Daniel Ruf"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Rename wp-login.php WordPress plugin through 2.6.0 does not have CSRF check in place when updating the secret login URL, which could allow attackers to make a logged in admin change them via a CSRF attack"}]}, "generator": "WPScan CVE Generator", "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}]}, "references": {"reference_data": [{"name": "https://wpscan.com/vulnerability/3620a087-032e-4a5f-99c8-f9e7e9c29813", "refsource": "MISC", "url": "https://wpscan.com/vulnerability/3620a087-032e-4a5f-99c8-f9e7e9c29813"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:16:59.695Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wpscan.com/vulnerability/3620a087-032e-4a5f-99c8-f9e7e9c29813"}]}]}, "cveMetadata": {"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2022-1732", "datePublished": "2022-07-11T12:56:10", "dateReserved": "2022-05-16T00:00:00", "dateUpdated": "2024-08-03T00:16:59.695Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rename_wp-login_project:rename_wp-login:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "A3200FD6-5682-451F-BD12-C030B0158C04", "versionEndIncluding": "2.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Rename wp-login.php WordPress plugin through 2.6.0 does not have CSRF check in place when updating the secret login URL, which could allow attackers to make a logged in admin change them via a CSRF attack"}, {"lang": "es", "value": "El plugin Rename wp-login.php de WordPress versiones hasta 2.6.0, no presenta una comprobaci\u00f3n de tipo CSRF cuando es actualizada la URL secreta de inicio de sesi\u00f3n, lo que podr\u00eda permitir a atacantes hacer que un administrador conectado la cambie por medio de un ataque de tipo CSRF"}], "id": "CVE-2022-1732", "lastModified": "2024-11-21T06:41:20.890", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-11T13:15:08.650", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/3620a087-032e-4a5f-99c8-f9e7e9c29813"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/3620a087-032e-4a5f-99c8-f9e7e9c29813"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "contact@wpscan.com", "type": "Secondary"}]}