CVE-2022-4016 Booster for WooCommerce - Custom Role Creation/Deletion via CSRF

2022-12-1217:57:10

WPScan

www.cve.org

wordpress plugin

csrf

customer roles

arbitrary

admins

EPSS

0.001

Percentile

34.1%

JSON

The Booster for WooCommerce WordPress plugin before 5.6.7, Booster Plus for WooCommerce WordPress plugin before 5.6.6, Booster Elite for WooCommerce WordPress plugin before 1.1.8 does not properly check for CSRF when creating and deleting Customer roles, allowing attackers to make logged admins create and delete arbitrary custom roles via CSRF attacks

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "Booster for WooCommerce",
    "collectionURL": "https://wordpress.org/plugins",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "5.6.7"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "Unknown",
    "product": "Booster Plus for WooCommerce",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "5.6.6"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "Unknown",
    "product": "Booster Elite for WooCommerce",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "1.1.8"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

wpscan.com/vulnerability/9b77044c-fd3f-4e6f-a759-dcc3082dcbd6

EPSS

0.001

Percentile

34.1%

JSON

Related for CVELIST:CVE-2022-4016