6.5

CVE-2022-2108

Wbcom Designs – BuddyPress Group Reviews <= 2.8.3 - Unauthorized AJAX Actions due to Nonce Bypass

Wbcom Designs – BuddyPress Group Reviews <= 2.8.3 - Unauthorized AJAX Actions due to Nonce Bypass

The plugin Wbcom Designs – BuddyPress Group Reviews for WordPress is vulnerable to unauthorized settings changes and review modification due to missing capability checks and improper nonce checks in several functions related to said actions in versions up to, and including, 2.8.3. This makes it possible for unauthenticated attackers to modify reviews and plugin settings on the affected site.
Mögliche Gegenmaßnahme
Wbcom Designs – BuddyPress Group Reviews: Update to version 2.8.4, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
WbcomdesignsBuddypress Group Reviews SwPlatformwordpress Version < 2.8.4
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt Wbcom Designs – BuddyPress Group Reviews
Version *-2.8.3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.67% 0.472
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
security@wordfence.com 6.5 3.9 2.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://plugins.trac.wordpress.org/browser/review-buddypress-groups/trunk/includes/bgr-ajax.php#L359
Product
https://plugins.trac.wordpress.org/changeset/2742109
Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/397dabc3-5dcf-4d1f-9e24-28af889cb76f?source=cve
Third Party Advisory
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2108
Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/397dabc3-5dcf-4d1f-9e24-28af889cb76f
Third Party Advisory