Lucene search

WordfenceCVELIST:CVE-2022-3805

HistoryDec 22, 2022 - 8:26 p.m.

CVE-2022-3805

2022-12-2220:26:49

Wordfence

www.cve.org

jeg elementor kit

wordpress

authorization bypass

vulnerability

mailchimp api

global styles

404 page

enabled elements

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

8.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

49.4%

JSON

The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various functions used to update the plugin settings in versions up to, and including, 2.5.6. Unauthenticated users can use an easily available nonce, obtained from pages edited by the plugin, to update the MailChimp API key, global styles, 404 page settings, and enabled elements.

CNA Affected

[
  {
    "vendor": "jegtheme",
    "product": "Jeg Elementor Kit",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "2.5.6",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2811758%40jeg-elementor-kit%2Ftrunk&old=2810568%40jeg-elementor-kit%2Ftrunk&sfp_email=&sfph_mail=

wordpress.org/plugins/jeg-elementor-kit/#developers

www.wordfence.com/threat-intel/vulnerabilities/id/c9955d65-afb3-4d28-abd2-9f2fec92d013

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

8.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

49.4%

JSON

Related for CVELIST:CVE-2022-3805