CVE-2022-23975 WordPress Access Demo Importer plugin <= 1.0.7 - Cross-Site Request Forgery (CSRF) vulnerability leading to Arbitrary Plugin Activation

2022-04-1816:20:30

CWE-352

Patchstack

www.cve.org

wordpress

access demo importer

csrf

vulnerability

arbitrary

plugin activation

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

21.6%

JSON

Cross-Site Request Forgery (CSRF) in Access Demo Importer <= 1.0.7 on WordPress allows an attacker to activate any installed plugin.

CNA Affected

[
  {
    "product": "Access Demo Importer (WordPress plugin)",
    "vendor": "AccessPress Themes",
    "versions": [
      {
        "lessThanOrEqual": "1.0.7",
        "status": "affected",
        "version": "<= 1.0.7",
        "versionType": "custom"
      }
    ]
  }
]

References

patchstack.com/database/vulnerability/access-demo-importer/wordpress-access-demo-importer-plugin-1-0-7-cross-site-request-forgery-csrf-vulnerability-leading-to-arbitrary-plugin-activation

wordpress.org/plugins/access-demo-importer/#developers