CVE-2022-46845

What is the vulnerability?

CVE-2022-2022-46845 in the WordPress plugin Slider a SlidersPack (a Slider, Image, aka 'All-in-One Image Sliders') is a missing authorization vulnerability. The plugin fails to properly check access control levels in certain functions, meaning that actions that should require higher privileges can be performed without authentication. This flaw is tracked as a broken access control issue [1].

How is it exploited?

The vulnerability can be exploited by unauthenticated attackers, though the official description notes it affects security levels with incorrectly configured access controls. No specific authentication prerequisite is mentioned, which suggests that an attacker may not need to be logged in to the WordPress site to trigger the missing authorization. The attack surface is the plugin's REST endpoints or AJAX handlers that lack proper nonce or capability checks. The plugin is used on many thousands of websites, making it a target for mass-exploit campaigns [1].

What is the impact?

An attacker exploiting this missing authorization could perform actions that should be reserved for higher privileged users, such as modifying slider content or settings. The official CVSS score is 5.3 (Medium), and the impact is described as low severity, but when combined with other vulnerabilities or used at scale, it can lead to site defacement or data exposure. The vulnerability is leveraged in broad in scope because the plugin handles image sliders, post sliders, and ACF gallery sliders [1].

Mitigation

The vendor has released version 2.3 of the plugin which patches the broken access control. Users are strongly advised to update immediately. Patchstack provides a mitigation rule for those unable to update immediately, blocking attacks until the patch is applied. As this vulnerability is known to be used in mass-exploit campaigns, prompt action is essential [1].