CVE-2022-3024

Exploit

EPSS 0.23%
Veröffentlicht 26.09.2022 13:15:10
Zuletzt bearbeitet 22.05.2025 15:15:58
Quelle contact@wpscan.com
CVE-Watchlists
Login
Unerledigt
Login

Simple Bitcoin Faucets <= 1.7.0 - Unauthorised AJAX Call to Stored XSS

Bitcoin Satoshi Tools <= 1.7.0 - Missing Authorization to Stored Cross-Site Scripting

The Simple Bitcoin Faucets WordPress plugin through 1.7.0 does not have any authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscribers to call it and add/delete/edit Bonds. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues

Mögliche Gegenmaßnahme

Bitcoin Satoshi Tools : Faucets, Visitor Rewarder, Satoshi Games, Referral Program: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Simple Bitcoin Faucets Project ≫ Simple Bitcoin Faucets SwPlatformwordpress Version <= 1.7.0

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Bitcoin Satoshi Tools : Faucets, Visitor Rewarder, Satoshi Games, Referral Program

Version *-1.7.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.23%	0.137

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://wpscan.com/vulnerability/7f43cb8e-0c1b-4528-8c5c-b81ab42778dc

Third Party Advisory

Exploit

https://www.wordfence.com/threat-intel/vulnerabilities/id/ec5fc038-b855-4744-8797-ce2cedd88f6a

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-3024

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-3024

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-3024

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-3024