CVE-2022-0345 - OpenCVE

The Customize WordPress Emails and Alerts WordPress plugin before 1.8.7 does not have authorisation and CSRF check in its bnfw_search_users AJAX action, allowing any authenticated users to call it and query for user e-mail prefixes (finding the first letter, then the second one, then the third one etc.).

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Madewithfuel	Customize Wordpress Emails And Alerts

Configuration 1 [-]

cpe:2.3:a:madewithfuel:customize_wordpress_emails_and_alerts:*:*:*:*:*:wordpress:*:*

References

Link	Resource
https://wpscan.com/vulnerability/b3b523b9-6c92-4091-837a-d34e3174eb19	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: WPScan

Published: 2022-02-28T09:06:47

Updated: 2023-07-24T09:45:02.218Z

Reserved: 2022-01-24T00:00:00

Link: CVE-2022-0345

JSON object: View

NVD Information

Status : Modified

Published: 2022-02-28T09:15:08.997

Modified: 2023-11-07T03:41:12.987

Link: CVE-2022-0345

JSON object: View

Redhat Information

No data.

CWE

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:madewithfuel:customize_wordpress_emails_and_alerts:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "2B66AC17-0BCE-4B06-9206-3315369FC437", "versionEndExcluding": "1.8.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Customize WordPress Emails and Alerts WordPress plugin before 1.8.7 does not have authorisation and CSRF check in its bnfw_search_users AJAX action, allowing any authenticated users to call it and query for user e-mail prefixes (finding the first letter, then the second one, then the third one etc.)."}, {"lang": "es", "value": "El plugin Customize WordPress Emails and Alerts de WordPress versiones anteriores a 1.8.7, no presenta autorizaci\u00f3n y comprobaci\u00f3n de tipo CSRF en su acci\u00f3n AJAX bnfw_search_users, permitiendo a cualquier usuario autenticado llamarlo y consultar los prefijos de los correos electr\u00f3nicos de los usuarios (encontrando la primera letra, luego la segunda, luego la tercera, etc.)."}], "id": "CVE-2022-0345", "lastModified": "2023-11-07T03:41:12.987", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-28T09:15:08.997", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/b3b523b9-6c92-4091-837a-d34e3174eb19"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}, {"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}