CVE-2022-3879

2022-12-1218:15:11

CWE-352

CWE-863

WPScan

web.nvd.nist.gov

cve-2022-3879

car dealer

dealership

vehicle sales

wordpress plugin

csrf

authorization

vulnerability

nvd

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

21.4%

JSON

The Car Dealer (Dealership) and Vehicle sales WordPress Plugin WordPress plugin before 3.05 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org

Affected configurations

Nvd

Vulners

Node

car_dealer_projectcar_dealerRange<3.05wordpress

VendorProductVersionCPE
car_dealer_projectcar_dealer*cpe:2.3:a:car_dealer_project:car_dealer:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
car_dealer_project	car_dealer	*	cpe:2.3:a:car_dealer_project:car_dealer::::::wordpress::*

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "Car Dealer (Dealership) and Vehicle sales WordPress Plugin",
    "collectionURL": "https://wordpress.org/plugins",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "3.05"
      }
    ],
    "defaultStatus": "unaffected"
  }
]