8.8
CVE-2022-3537
- EPSS 0.18%
- Veröffentlicht 07.11.2022 10:15:12
- Zuletzt bearbeitet 01.05.2025 20:15:34
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginRole Based Pricing for WooCommerce <= 1.6.1 - Authenticated (Subscriber+) Arbitrary File Upload
The Role Based Pricing for WooCommerce WordPress plugin before 1.6.2 does not have authorisation and proper CSRF checks, and does not validate files to be uploaded, allowing any authenticated users like subscriber to upload arbitrary files, such as PHP
Mögliche Gegenmaßnahme
Role Based Pricing for WooCommerce: Update to version 1.6.2, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Role Based Pricing for WooCommerce
Version
* - 1.6.1
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Addify ≫ Role Based Pricing For Woocommerce SwPlatformwordpress Version < 1.6.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.18% | 0.402 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
CWE-434 Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.