{"containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2023-07-04T08:50:23.489Z"}, "title": "YaySMTP < 2.2.1 - Subscriber+ SMTP Credentials Leak", "problemTypes": [{"descriptions": [{"description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "YaySMTP", "versions": [{"status": "affected", "versionType": "custom", "version": "0", "lessThan": "2.2.1"}], "defaultStatus": "unaffected", "collectionURL": "https://wordpress.org/plugins"}], "descriptions": [{"lang": "en", "value": "The YaySMTP WordPress plugin before 2.2.1 does not have capability check before displaying the Mailer Credentials in JS code for the settings, allowing any authenticated users, such as subscriber to retrieve them"}], "references": [{"url": "https://wpscan.com/vulnerability/bedda2a9-6c52-478e-b17a-7a4488419334", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Rafshanzani Suhada", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}}, "cveMetadata": {"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2022-2370", "datePublished": "2022-08-01T12:52:51", "dateReserved": "2022-07-11T00:00:00", "dateUpdated": "2023-07-04T08:50:23.489Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:yaycommerce:yaysmtp:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "C851DF65-56CF-49EE-A017-A546E7AE6ACC", "versionEndExcluding": "2.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The YaySMTP WordPress plugin before 2.2.1 does not have capability check before displaying the Mailer Credentials in JS code for the settings, allowing any authenticated users, such as subscriber to retrieve them"}, {"lang": "es", "value": "El plugin YaySMTP de WordPress versiones anteriores a 2.2.1, no dispone de una comprobaci\u00f3n de capacidad antes de mostrar las credenciales de correo en el c\u00f3digo JS para la configuraci\u00f3n, permitiendo a cualquier usuario autenticado, como el suscriptor, recuperarlas"}], "id": "CVE-2022-2370", "lastModified": "2023-11-07T03:46:33.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-01T13:15:11.343", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/bedda2a9-6c52-478e-b17a-7a4488419334"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}