6.5

CVE-2022-2260

Exploit

GiveWP < 2.21.3 - DoS via CSRF

GiveWP – Donation Plugin and Fundraising Platform <= 2.21.2 - Cross-Site Request Forgery

The GiveWP WordPress plugin before 2.21.3 does not have CSRF in place when exporting data, and does not validate the exporting parameters such as dates, which could allow attackers to make a logged in admin DoS the web server via a CSRF attack as the plugin will try to retrieve data from the database many times which leads to overwhelm the target's CPU.
Mögliche Gegenmaßnahme
GiveWP – Donation Plugin and Fundraising Platform: Update to version 2.21.3, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GivewpGivewp SwPlatformwordpress Version < 2.21.3
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt GiveWP – Donation Plugin and Fundraising Platform
Version *-2.21.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.38% 0.291
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 2.8 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

https://wpscan.com/vulnerability/831b3afa-8fa3-4cb7-8374-36d0c368292f
Third Party Advisory
Exploit
https://www.wordfence.com/threat-intel/vulnerabilities/id/3dc26eaa-2da5-4cd6-b613-4da2faad0f3b
Third Party Advisory