CVE-2022-0191: 
WordPress vulnerability analysis and mitigation

The Ad Invalid Click Protector (AICP) WordPress plugin before version 1.2.7 contained a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2022-0191. The vulnerability was discovered in early 2022 and allowed attackers to make a logged-in administrator remove arbitrary user bans from the system due to missing CSRF protection in the ban deletion functionality (WPScan, CVE Mitre).

The vulnerability existed in the ban deletion functionality of the plugin where there was no CSRF token verification when processing delete requests. An attacker could craft a malicious URL in the format 'https://example.com/wp-admin/admin.php?page=aicpbanneduser_details&action=delete&id=1' to trigger unauthorized ban removals when accessed by an authenticated administrator (WPScan). The issue was fixed in version 1.2.7 by implementing nonce verification for the deletion process (WordPress Plugin).

If exploited, this vulnerability could allow attackers to trick administrators into removing banned users from the system without their knowledge or consent, potentially undermining the security measures put in place to protect against invalid clicks and malicious users (WPScan).

The vulnerability was patched in version 1.2.7 of the Ad Invalid Click Protector plugin by adding nonce verification for the ban deletion process. Users should update to version 1.2.7 or later to protect against this vulnerability (WordPress Plugin).