CVE-2022-0287

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-0287
The myCred WordPress plugin before 2.4.4.1 does not have any authorisation in place in its mycred-tools-select-user AJAX action, allowing any authenticated user, such as subscriber to call and retrieve all email addresses from the blog

4.3 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References
Link Resource
https://wpscan.com/vulnerability/6cd7cd6d-1cc1-472c-809b-b66389f149b0 Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:mycred:mycred:*:*:*:*:*:wordpress:*:*
History

07 Nov 2023, 03:41

Type Values Removed Values Added
CWE CWE-862

24 Jul 2023, 10:15

Type Values Removed Values Added
Summary The myCred WordPress plugin before 2.4.3.1 does not have any authorisation in place in its mycred-tools-select-user AJAX action, allowing any authenticated user, such as subscriber to call and retrieve all email addresses from the blog The myCred WordPress plugin before 2.4.4.1 does not have any authorisation in place in its mycred-tools-select-user AJAX action, allowing any authenticated user, such as subscriber to call and retrieve all email addresses from the blog

21 Jul 2023, 16:53

Type Values Removed Values Added
CWE CWE-200 CWE-862
Information

Published : 2022-04-25 16:16

Updated : 2023-11-07 03:41

NVD link : CVE-2022-0287

Mitre link : CVE-2022-0287

JSON object : View

Products Affected

mycred

  • mycred
CWE

No CWE.