CVE-2022-40700

Server Side Request Forgery (SSRF) vulnerability affecting multiple WordPress plugins

Description

Server-Side Request Forgery (SSRF) vulnerability in Montonio Montonio for WooCommerce, Wpopal Wpopal Core Features, AMO for WP – Membership Management ArcStone wp-amo, Long Watch Studio WooVirtualWallet – A virtual wallet for WooCommerce, Long Watch Studio WooVIP – Membership plugin for WordPress and WooCommerce, Long Watch Studio WooSupply – Suppliers, Supply Orders and Stock Management, Squidesma Theme Minifier, Paul Clark Styles styles, Designmodo Inc. WordPress Page Builder – Qards, Philip M. Hofer (Frumph) PHPFreeChat, Arun Basil Lal Custom Login Admin Front-end CSS, Team Agence-Press CSS Adder By Agence-Press, Unihost Confirm Data, deano1987 AMP Toolbox amp-toolbox, Arun Basil Lal Admin CSS MU.This issue affects Montonio for WooCommerce: from n/a through 6.0.1; Wpopal Core Features: from n/a through 1.5.8; ArcStone: from n/a through 4.6.6; WooVirtualWallet – A virtual wallet for WooCommerce: from n/a through 2.2.1; WooVIP – Membership plugin for WordPress and WooCommerce: from n/a through 1.4.4; WooSupply – Suppliers, Supply Orders and Stock Management: from n/a through 1.2.2; Theme Minifier: from n/a through 2.0; Styles: from n/a through 1.2.3; WordPress Page Builder – Qards: from n/a through 1.0.5; PHPFreeChat: from n/a through 0.2.8; Custom Login Admin Front-end CSS: from n/a through 1.4.1; CSS Adder By Agence-Press: from n/a through 1.5.0; Confirm Data: from n/a through 1.0.7; AMP Toolbox: from n/a through 2.1.1; Admin CSS MU: from n/a through 2.6.

Remediation

Solution:

  • Update Montonio for WooCommerce to 6.0.2 or a higher version. Update Custom Login Admin Front-end CSS to 1.5 or a higher version. Update Admin CSS MU to 2.7 or a higher version

Category

8.2
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.54%
Third-Party Advisory patchstack.com Third-Party Advisory patchstack.com Third-Party Advisory patchstack.com Third-Party Advisory patchstack.com Third-Party Advisory patchstack.com Third-Party Advisory patchstack.com Third-Party Advisory patchstack.com Third-Party Advisory patchstack.com Third-Party Advisory patchstack.com Third-Party Advisory patchstack.com Third-Party Advisory patchstack.com Third-Party Advisory patchstack.com Third-Party Advisory patchstack.com Third-Party Advisory patchstack.com Third-Party Advisory patchstack.com
Affected: Montonio Montonio for WooCommerce
Affected: Wpopal Wpopal Core Features
Affected: AMO for WP – Membership Management ArcStone
Affected: Long Watch Studio WooVirtualWallet – A virtual wallet for WooCommerce
Affected: Long Watch Studio WooVIP – Membership plugin for WordPress and WooCommerce
Affected: Long Watch Studio WooSupply – Suppliers, Supply Orders and Stock Management
Affected: Squidesma Theme Minifier
Affected: Paul Clark Styles
Affected: Designmodo Inc. WordPress Page Builder – Qards
Affected: Philip M. Hofer (Frumph) PHPFreeChat
Affected: Arun Basil Lal Custom Login Admin Front-end CSS
Affected: Team Agence-Press CSS Adder By Agence-Press
Affected: Unihost Confirm Data
Affected: deano1987 AMP Toolbox
Affected: Arun Basil Lal Admin CSS MU
Published at:
Updated at:

References

Link Tags
https://patchstack.com/database/vulnerability/montonio-for-woocommerce/wordpress-montonio-for-woocommerce-plugin-6-0-1-server-side-request-forgery-ssrf?_s_id=cve third party advisory vdb entry
https://patchstack.com/database/vulnerability/wpopal-core-features/wordpress-wpopal-core-features-plugin-1-5-7-server-side-request-forgery-ssrf?_s_id=cve third party advisory vdb entry
https://patchstack.com/database/vulnerability/wp-amo/wordpress-amo-for-wp-plugin-4-6-6-server-side-request-forgery-ssrf?_s_id=cve third party advisory vdb entry
https://patchstack.com/database/vulnerability/woovirtualwallet/wordpress-woovirtualwallet-plugin-2-2-1-server-side-request-forgery-ssrf?_s_id=cve third party advisory vdb entry
https://patchstack.com/database/vulnerability/woovip/wordpress-woovip-plugin-1-4-4-server-side-request-forgery-ssrf?_s_id=cve third party advisory vdb entry
https://patchstack.com/database/vulnerability/woosupply/wordpress-woosupply-plugin-1-2-2-server-side-request-forgery-ssrf?_s_id=cve third party advisory vdb entry
https://patchstack.com/database/vulnerability/theme-minifier/wordpress-theme-minifier-plugin-2-0-server-side-request-forgery-ssrf?_s_id=cve third party advisory vdb entry
https://patchstack.com/database/vulnerability/styles/wordpress-styles-plugin-1-2-3-server-side-request-forgery-ssrf?_s_id=cve third party advisory vdb entry
https://patchstack.com/database/vulnerability/qards-free/wordpress-wordpress-page-builder-qards-plugin-1-0-5-server-side-request-forgery-ssrf?_s_id=cve third party advisory vdb entry
https://patchstack.com/database/vulnerability/phpfreechat/wordpress-phpfreechat-plugin-0-2-8-server-side-request-forgery-ssrf?_s_id=cve third party advisory vdb entry
https://patchstack.com/database/vulnerability/custom-login-admin-front-end-css-with-multisite-support/wordpress-custom-login-admin-front-end-css-plugin-1-4-1-server-side-request-forgery-ssrf?_s_id=cve third party advisory vdb entry
https://patchstack.com/database/vulnerability/css-adder-by-agence-press/wordpress-css-adder-by-agene-press-plugin-1-5-0-server-side-request-forgery-ssrf?_s_id=cve third party advisory vdb entry
https://patchstack.com/database/vulnerability/confirm-data/wordpress-confirm-data-plugin-1-0-7-unauth-server-side-request-forgery-ssrf-vulnerability?_s_id=cve third party advisory vdb entry
https://patchstack.com/database/vulnerability/amp-toolbox/wordpress-amp-toolbox-plugin-2-1-1-server-side-request-forgery-ssrf?_s_id=cve third party advisory vdb entry
https://patchstack.com/database/vulnerability/admin-css-mu/wordpress-admin-css-mu-plugin-2-6-server-side-request-forgery-ssrf-vulnerability?_s_id=cve third party advisory vdb entry

Frequently Asked Questions

What is the severity of CVE-2022-40700?
CVE-2022-40700 has been scored as a high severity vulnerability.
How to fix CVE-2022-40700?
To fix CVE-2022-40700: Update Montonio for WooCommerce to 6.0.2 or a higher version. Update Custom Login Admin Front-end CSS to 1.5 or a higher version. Update Admin CSS MU to 2.7 or a higher version
Is CVE-2022-40700 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2022-40700 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-40700?
CVE-2022-40700 affects Montonio Montonio for WooCommerce, Wpopal Wpopal Core Features, AMO for WP – Membership Management ArcStone, Long Watch Studio WooVirtualWallet – A virtual wallet for WooCommerce, Long Watch Studio WooVIP – Membership plugin for WordPress and WooCommerce, Long Watch Studio WooSupply – Suppliers, Supply Orders and Stock Management, Squidesma Theme Minifier, Paul Clark Styles, Designmodo Inc. WordPress Page Builder – Qards, Philip M. Hofer (Frumph) PHPFreeChat, Arun Basil Lal Custom Login Admin Front-end CSS, Team Agence-Press CSS Adder By Agence-Press, Unihost Confirm Data, deano1987 AMP Toolbox, Arun Basil Lal Admin CSS MU.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.