5.3

CVE-2022-3489

Exploit

WP Hide <= 0.0.2 - Unauthenticated Settings Update

WP Hide <= 0.0.2 - Missing Authorization to Settings Update

The WP Hide WordPress plugin through 0.0.2 does not have authorisation and CSRF checks in place when updating the custom_wpadmin_slug settings, allowing unauthenticated attackers to update it with a crafted request
Mögliche Gegenmaßnahme
Wp-Hide: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
WebergeWp Hide SwPlatformwordpress Version <= 0.0.2
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt Wp-Hide
Version *-0.0.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.35% 0.263
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://wpscan.com/vulnerability/36d78b6c-0da5-44f8-b7b3-eae78edac505
Third Party Advisory
Exploit
https://www.wordfence.com/threat-intel/vulnerabilities/id/4e534021-1c63-4db9-914b-7f9b3b613087
Third Party Advisory