CVE-2022-1203 - OpenCVE

The Content Mask WordPress plugin before 1.8.4.1 does not have authorisation and CSRF checks in various AJAX actions, as well as does not validate the option to be updated to ensure it belongs to the plugin. As a result, any authenticated user, such as subscriber could modify arbitrary blog options

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Content Mask Project	Content Mask

Configuration 1 [-]

cpe:2.3:a:content_mask_project:content_mask:*:*:*:*:*:wordpress:*:*

References

Link	Resource
https://wpscan.com/vulnerability/3c9969e5-ca8e-4e5d-a482-c6b5c4257820	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: WPScan

Published: 2022-05-30T00:00:00

Updated: 2023-07-04T08:09:07.959Z

Reserved: 2022-04-01T00:00:00

Link: CVE-2022-1203

JSON object: View

NVD Information

Status : Modified

Published: 2022-05-30T09:15:09.050

Modified: 2023-11-07T03:41:48.553

Link: CVE-2022-1203

JSON object: View

Redhat Information

No data.

CWE

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:content_mask_project:content_mask:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "4392A69B-E521-4166-8123-53319E8D6DAF", "versionEndExcluding": "1.8.4.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Content Mask WordPress plugin before 1.8.4.1 does not have authorisation and CSRF checks in various AJAX actions, as well as does not validate the option to be updated to ensure it belongs to the plugin. As a result, any authenticated user, such as subscriber could modify arbitrary blog options"}, {"lang": "es", "value": "El plugin Content Mask de WordPress versiones anteriores a 1.8.4.1, no dispone de comprobaciones de autorizaci\u00f3n y de tipo CSRF en varias acciones AJAX, as\u00ed como no comprueba la opci\u00f3n de actualizaci\u00f3n para asegurar que pertenece al plugin. Como resultado, cualquier usuario autenticado, como el suscriptor podr\u00eda modificar opciones arbitrarias del blog"}], "id": "CVE-2022-1203", "lastModified": "2023-11-07T03:41:48.553", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-05-30T09:15:09.050", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/3c9969e5-ca8e-4e5d-a482-c6b5c4257820"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}, {"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}