4.3
CVE-2022-4004
- EPSS 0.49%
- Veröffentlicht 12.12.2022 18:15:12
- Zuletzt bearbeitet 22.04.2025 15:16:08
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginDonation Button <= 4.0.0 - Subscriber+ Broken Access Control leading to SMS Spam
Donation Button <= 4.0.0 - Missing Authorization
The Donation Button WordPress plugin through 4.0.0 does not properly check for privileges and nonce tokens in its "donation_button_twilio_send_test_sms" AJAX action, which may allow any users with an account on the affected site, like subscribers, to use the plugin's Twilio integration to send SMSes to arbitrary phone numbers.
Mögliche Gegenmaßnahme
Donation Button: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Donation Button Project ≫ Donation Button SwPlatformwordpress Version <= 4.0.0
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Donation Button
Version
*-4.0.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.49% | 0.38 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
|
https://wpscan.com/vulnerability/6a3bcfb3-3ede-459d-969f-b7b30dafd098
https://www.wordfence.com/threat-intel/vulnerabilities/id/a2b809f5-0384-43f5-8839-67bf059360eb