CVE-2022-1589
📋 TL;DR
The Change wp-admin login WordPress plugin before version 1.1.0 has an authorization bypass and missing CSRF protection in its settings update functionality. This allows unauthenticated attackers to modify plugin settings, potentially changing the WordPress admin login URL. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Change wp-admin login WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could change the WordPress admin login URL to a malicious page, hijack admin sessions, or disable the plugin entirely, potentially leading to full site compromise.
Likely Case
Attackers change the admin login URL to redirect legitimate administrators to phishing pages or disable security features, enabling credential theft or further attacks.
If Mitigated
With proper network segmentation and web application firewalls, the impact is limited to plugin functionality disruption without broader system compromise.
🎯 Exploit Status
Simple HTTP POST request to vulnerable endpoint with no authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.0
Vendor Advisory: https://wpscan.com/vulnerability/257f9e14-4f43-4852-8384-80c15d087633
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Change wp-admin login' plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete plugin immediately.
🔧 Temporary Workarounds
Disable vulnerable plugin
allDeactivate the Change wp-admin login plugin to prevent exploitation
wp plugin deactivate change-wp-admin-login
Web Application Firewall rule
allBlock requests to the vulnerable plugin endpoint
Block POST requests to /wp-admin/admin-ajax.php?action=change_wp_admin_login_save_settings
🧯 If You Can't Patch
- Remove the Change wp-admin login plugin entirely from the WordPress installation
- Implement strict network access controls to limit who can access the WordPress admin interface
🔍 How to Verify
Check if Vulnerable:
Check WordPress plugin version: Navigate to Plugins → Installed Plugins and verify 'Change wp-admin login' version is below 1.1.0Check Version:
wp plugin get change-wp-admin-login --field=versionVerify Fix Applied:
Confirm plugin version is 1.1.0 or higher in WordPress admin plugins page📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=change_wp_admin_login_save_settings from unauthenticated users
- Unusual changes to wp-admin login URL in plugin settings
Network Indicators:
- HTTP POST requests to vulnerable endpoint without authentication cookies
- Traffic patterns showing admin login URL changes
SIEM Query:
source="web_access.log" AND uri="/wp-admin/admin-ajax.php" AND method="POST" AND query="action=change_wp_admin_login_save_settings" AND NOT cookie="wordpress_logged_in"