6.5
CVE-2022-2260
- EPSS 0.16%
- Veröffentlicht 01.08.2022 13:15:10
- Zuletzt bearbeitet 21.11.2024 07:00:38
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginGiveWP – Donation Plugin and Fundraising Platform <= 2.21.2 - Cross-Site Request Forgery
The GiveWP WordPress plugin before 2.21.3 does not have CSRF in place when exporting data, and does not validate the exporting parameters such as dates, which could allow attackers to make a logged in admin DoS the web server via a CSRF attack as the plugin will try to retrieve data from the database many times which leads to overwhelm the target's CPU.
Mögliche Gegenmaßnahme
GiveWP – Donation Plugin and Fundraising Platform: Update to version 2.21.3, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
GiveWP – Donation Plugin and Fundraising Platform
Version
*-2.21.2
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.16% | 0.367 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.