Lucene search

WPScanCVE-2022-2198

HistoryAug 22, 2022 - 3:15 p.m.

CVE-2022-2198

2022-08-2215:15:14

CWE-639

WPScan

web.nvd.nist.gov

cve-2022-2198

wpqa builder

wordpress

hilmer

discy

authorization

private messages

brute force

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

4.5

Confidence

High

EPSS

0.001

Percentile

24.8%

JSON

The WPQA Builder WordPress plugin before 5.7 which is a companion plugin to the Hilmer and Discy , does not check authorization before displaying private messages, allowing any logged in user to read other users private message using the message id, which can easily be brute forced.

Affected configurations

Nvd

Vulners

Node

2codewpqa_builderRange<5.7wordpress

VendorProductVersionCPE
2codewpqa_builder*cpe:2.3:a:2code:wpqa_builder:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
2code	wpqa_builder	*	cpe:2.3:a:2code:wpqa_builder::::::wordpress::*

CNA Affected

[
  {
    "product": "WPQA Builder",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "5.7",
        "status": "affected",
        "version": "5.7",
        "versionType": "custom"
      }
    ]
  }
]

References

wpscan.com/vulnerability/867248f2-d497-4ea8-b3f8-0f2e8aaaa2bd

Social References

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

4.5

Confidence

High

EPSS

0.001

Percentile

24.8%

JSON

Related for CVE-2022-2198