6.5
CVE-2022-0914
- EPSS 0.62%
- Veröffentlicht 11.04.2022 15:15:08
- Zuletzt bearbeitet 21.11.2024 06:39:39
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginExport All URLs < 4.3 - Private/Draft Post/Page Title Disclosure via CSRF
Export All URLs <= 4.2 - Cross-Site Request Forgery to Sensitive Data Export
The Export All URLs WordPress plugin before 4.3 does not have CSRF in place when exporting data, which could allow attackers to make a logged in admin export all posts and pages (including private and draft) into an arbitrary CSV file, which the attacker can then download and retrieve the list of titles for example
Mögliche Gegenmaßnahme
Export All URLs: Update to version 4.3, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Atlasgondal ≫ Export All Urls SwPlatformwordpress Version < 4.3
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Export All URLs
Version
[*, 4.3)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.62% | 0.451 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:P/I:N/A:N
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
https://wpscan.com/vulnerability/c328be28-75dd-43db-a5b9-c1ba0636c930
https://www.wordfence.com/threat-intel/vulnerabilities/id/5ac8e551-7995-4201-b711-87773da1be9e