CVE-2022-1749 – This CSRF vulnerability in the WPMK Ajax Finder... (How to Fix)

Q: What is the severity of CVE-2022-1749?

CVE-2022-1749 has a CVSS score of 8.8 (HIGH). This CSRF vulnerability in the WPMK Ajax Finder WordPress plugin allows attackers to inject malicious scripts into WordPress admin settings pages. Attackers can trick authenticated administrators into performing unintended actions, potentially compromising the entire WordPress site. All WordPress sites using vulnerable versions of this plugin are affected.

📋 TL;DR

This CSRF vulnerability in the WPMK Ajax Finder WordPress plugin allows attackers to inject malicious scripts into WordPress admin settings pages. Attackers can trick authenticated administrators into performing unintended actions, potentially compromising the entire WordPress site. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

WPMK Ajax Finder WordPress Plugin

Versions: All versions up to and including 1.0.1

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin activated. Attack requires tricking an authenticated administrator.

📦 What is this software?

Wpmk Ajax Finder by Wpmk Ajax Finder Project

View all CVEs affecting Wpmk Ajax Finder →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover through script injection leading to backdoor installation, data theft, or ransomware deployment.

🟠

Likely Case

Malicious script injection leading to defacement, SEO spam injection, or credential theft from site visitors.

🟢

If Mitigated

No impact if proper CSRF protections are in place or plugin is disabled.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires social engineering to trick authenticated admin users. CSRF attacks are well-understood and easily weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.2 or later

Vendor Advisory: https://wordpress.org/plugins/find-any-think/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'WPMK Ajax Finder' and click 'Update Now'. 4. If no update is available, deactivate and delete the plugin immediately.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Deactivate the WPMK Ajax Finder plugin to eliminate the vulnerability

wp plugin deactivate find-any-think

Implement CSRF protection headers

linux

Add security headers to WordPress to help mitigate CSRF attacks

Add to .htaccess: Header set X-Frame-Options "DENY"
Add to .htaccess: Header set Content-Security-Policy "frame-ancestors 'none'"

🧯 If You Can't Patch

Remove the plugin entirely from the WordPress installation
Implement strict access controls and monitoring for WordPress admin users

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for 'WPMK Ajax Finder' version 1.0.1 or earlier

Check Version:

wp plugin list --name=find-any-think --field=version

Verify Fix Applied:

Verify plugin version is 1.0.2 or later, or confirm plugin is not installed/activated

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /wp-admin/admin-ajax.php with createplugin_atf_admin_setting_page action
Multiple failed admin login attempts preceding suspicious requests

Network Indicators:

CSRF attack patterns with crafted requests to WordPress admin endpoints
Traffic spikes to admin-ajax.php with unusual parameters

SIEM Query:

source="wordpress.log" AND (action="createplugin_atf_admin_setting_page" OR plugin="find-any-think")

📊 Metadata

CVE ID: CVE-2022-1749

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: June 13, 2022

Last Updated: May 5, 2025

🔗 References

https://plugins.trac.wordpress.org/browser/find-any-think/trunk/inc/config/create-plugin-admin.php Exploit,Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/1d063d01-5f67-4c7f-ab71-01708456e82b?source=cve Third Party Advisory
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1749 Third Party Advisory
https://plugins.trac.wordpress.org/browser/find-any-think/trunk/inc/config/create-plugin-admin.php Exploit,Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/1d063d01-5f67-4c7f-ab71-01708456e82b?source=cve Third Party Advisory
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1749 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-1749, you might also want to check these: