{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-2387", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "dateUpdated": "2022-11-07T00:00:00", "dateReserved": "2022-07-12T00:00:00", "datePublished": "2022-11-07T00:00:00"}, "containers": {"cna": {"title": "Easy Digital Downloads < 3.0 - Arbitrary Post Deletion via CSRF", "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2022-11-07T00:00:00"}, "descriptions": [{"lang": "en", "value": "The Easy Digital Downloads WordPress plugin before 3.0 does not have CSRF check in place when deleting payment history, and does not ensure that the post to be deleted is actually a payment history. As a result, attackers could make a logged in admin delete arbitrary post via a CSRF attack"}], "affected": [{"vendor": "Unknown", "product": "Easy Digital Downloads \u2013 Simple eCommerce for Selling Digital Files", "versions": [{"version": "3.0", "status": "affected", "lessThan": "3.0", "versionType": "custom"}]}], "references": [{"url": "https://wpscan.com/vulnerability/db3c3c78-1724-4791-9ab6-ebb2e8a4c8b8"}], "credits": [{"lang": "en", "value": "Krzysztof Zaj\u0105c"}], "problemTypes": [{"descriptions": [{"type": "CWE", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "lang": "en"}]}], "x_generator": "WPScan CVE Generator", "source": {"discovery": "EXTERNAL"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sandhillsdev:easy_digital_downloads:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "C2EF547A-BB80-4DCB-A489-02E7CAD22CDE", "versionEndExcluding": "3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Easy Digital Downloads WordPress plugin before 3.0 does not have CSRF check in place when deleting payment history, and does not ensure that the post to be deleted is actually a payment history. As a result, attackers could make a logged in admin delete arbitrary post via a CSRF attack"}, {"lang": "es", "value": "El complemento de WordPress Easy Digital Downloads anterior a 3.0 no cuenta con verificaci\u00f3n CSRF al eliminar el historial de pagos y no garantiza que la publicaci\u00f3n que se eliminar\u00e1 sea en realidad un historial de pagos. Como resultado, los atacantes podr\u00edan hacer que un administrador que haya iniciado sesi\u00f3n elimine una publicaci\u00f3n arbitraria mediante un ataque CSRF."}], "id": "CVE-2022-2387", "lastModified": "2022-11-09T20:00:04.340", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-11-07T10:15:11.413", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/db3c3c78-1724-4791-9ab6-ebb2e8a4c8b8"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "contact@wpscan.com", "type": "Primary"}]}

{}