← Volver a CVEs
CVE-2022-0439
HIGH8.8
Descripcion
The Email Subscribers & Newsletters WordPress plugin before 5.3.2 does not correctly escape the `order` and `orderby` parameters to the `ajax_fetch_report_list` action, making it vulnerable to blind SQL injection attacks by users with roles as low as Subscriber. Further, it does not have any CSRF protection in place for the action, allowing an attacker to trick any logged in user to perform the action by clicking a link.
Detalles CVE
Puntuacion CVSS v3.18.8
SeveridadHIGH
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosLOW
Interaccion usuarioNONE
Publicado3/7/2022
Ultima modificacion11/21/2024
Fuentenvd
Avistamientos honeypot0
Productos afectados
icegram:email_subscribers_\&_newsletters
Debilidades (CWE)
CWE-89CWE-352
Referencias
https://wpscan.com/vulnerability/729d3e67-d081-4a4e-ac1e-f6b0a184f095(contact@wpscan.com)
https://wpscan.com/vulnerability/729d3e67-d081-4a4e-ac1e-f6b0a184f095(af854a3a-2127-422b-91ae-364da2661108)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.