Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nvd[email protected]NVD:CVE-2022-0952
HistoryMay 02, 2022 - 4:15 p.m.

CVE-2022-0952

2022-05-0216:15:08
CWE-862
CWE-352
[email protected]
web.nvd.nist.gov
1
wordpress plugin
authorization
csrf
unauthenticated attackers
blog options
admin account.

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.48

Percentile

97.5%

JSON

The Sitemap by click5 WordPress plugin before 1.0.36 does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. As a result, unauthenticated attackers could change arbitrary blog options, such as the users_can_register and default_role, allowing them to create a new admin account and take over the blog.

Affected configurations

Nvd
Node
sitemap_projectsitemapRange<1.0.36wordpress
VendorProductVersionCPE
sitemap_projectsitemap*cpe:2.3:a:sitemap_project:sitemap:*:*:*:*:*:wordpress:*:*

Related

wpvulndb 1
patchstack 1
prion 1
nuclei 1
wpexploit 1
cnvd 1
cve 1
githubexploit 1
cvelist 1
wpvulndb
wpvulndb
Sitemap by click5 < 1.0.36 - Unauthenticated Arbitrary Options Update
2022-04-11 00:00:00
patchstack
patchstack
WordPress Sitemap by click5 plugin <= 1.0.35 - Unauthenticated Arbitrary Options Update vulnerability
2022-04-11 00:00:00
prion
prion
Cross site request forgery (csrf)
2022-05-02 16:15:00
nuclei
nuclei
WordPress Sitemap by click5 <1.0.36 - Missing Authorization
2022-04-15 14:45:43
wpexploit
wpexploit
Sitemap by click5 < 1.0.36 - Unauthenticated Arbitrary Options Update
2022-04-11 00:00:00
cnvd
cnvd
WordPress Sitemap by click5 plugin存在ζœͺ明漏洞
2022-05-07 00:00:00
cve
cve
CVE-2022-0952
2022-05-02 16:15:08
githubexploit
githubexploit
Exploit for Cross-Site Request Forgery (CSRF) in Sitemap Project Sitemap
2023-08-07 14:28:11
cvelist
cvelist
CVE-2022-0952 Sitemap by click5 < 1.0.36 - Unauthenticated Arbitrary Options Update
2022-05-02 16:05:46

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.48

Percentile

97.5%

JSON
Related for NVD:CVE-2022-0952
wpvulndb1patchstack1prion1nuclei1wpexploit1cnvd1cve1githubexploit1cvelist1