CVE-2022-3907

Exploit

EPSS 0.58%
Veröffentlicht 05.12.2022 17:15:10
Zuletzt bearbeitet 23.04.2025 15:15:50
Quelle contact@wpscan.com
CVE-Watchlists
Login
Unerledigt
Login

Clerk <= 3.8.2 - Authorization Bypass via Insufficient Validation

The Clerk WordPress plugin before 4.0.0 is affected by time-based attacks in the validation function for all API requests due to the usage of comparison operators to verify API keys against the ones stored in the site options.

Mögliche Gegenmaßnahme

Clerk: Update to version 3.8.3, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Clerk

Version *-3.8.2

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Clerk ≫ Clerk.Io SwPlatformwordpress Version < 4.0.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.58%	0.682

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

https://wpscan.com/vulnerability/7920c1c1-709d-4b1f-ac08-f0a02ddb329c

Third Party Advisory

Exploit

https://www.wordfence.com/threat-intel/vulnerabilities/id/c929a742-6481-40a0-94b5-76ddb8494896

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-3907

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-3907

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-3907

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-3907