4.3
CVE-2022-0442
- EPSS 0.64%
- Veröffentlicht 07.03.2022 09:15:09
- Zuletzt bearbeitet 21.11.2024 06:38:38
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginUsersWP < 1.2.3.1 - Subscriber+ User Avatar Override
UsersWP <= 1.2.3 - Subscriber+ User Avatar Override
The UsersWP WordPress plugin before 1.2.3.1 is missing access controls when updating a user avatar, and does not make sure file names for user avatars are unique, allowing a logged in user to overwrite another users avatar.
Mögliche Gegenmaßnahme
UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP: Update to version 1.2.3.1, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP
Version
[*, 1.2.3.1)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.64% | 0.46 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
|
| nvd@nist.gov | 4 | 8 | 2.9 |
AV:N/AC:L/Au:S/C:N/I:P/A:N
|
CWE-639 Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
https://wpscan.com/vulnerability/9cf0822a-c9d6-4ebc-b905-95b143d1a692
https://www.wordfence.com/threat-intel/vulnerabilities/id/f31b42c8-cf82-49cf-ac4c-d42a28252d66