CVE-2022-4948: 
WordPress vulnerability analysis and mitigation

The FlyingPress WordPress plugin, versions up to and including 3.9.6, contained a missing authorization vulnerability (CVE-2022-4948). The vulnerability was discovered on October 05, 2022, and was fixed with the release of version 3.9.7 on November 14, 2022. This security issue affected the plugin's AJAX actions, potentially exposing administrative functions to lower-privileged users (Nintechnet Blog).

The vulnerability stems from nine different AJAX actions registered in the FlyingPress\Ajax::init method that lacked both capability checks and security nonces. One particularly concerning action, 'save_config', allowed for the configuration of external CDN settings. The vulnerability received a CVSS v3.1 score of 7.6 (High), indicating its serious nature. The issue is classified as CWE-862 (Missing Authorization) (Nintechnet Blog, NVD).

The vulnerability could allow authenticated users with subscriber-level permissions to modify plugin configurations, particularly concerning CDN settings. An attacker could potentially redirect static files (JavaScript, CSS) to a malicious domain, enabling the injection of malicious code into all pages and posts on the affected website (Nintechnet Blog).

The vulnerability was patched in FlyingPress version 3.9.7. Site administrators running version 3.9.6 or below are strongly advised to update immediately. Users of NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium) were protected against this vulnerability (Nintechnet Blog).