CVE-2022-1605

🗓️ 13 Jun 2022 12:42:08Reported by WPScanType

cve🔗 web.nvd.nist.gov📰️ 2 Media mentions👁 63 Views🌐 WEB

The Email Users WordPress plugin through 4.8.8 lacks CSRF protection for settings update, enabling attackers to manipulate admin notification settings via CSRF attack. Impacting arbitrary users

Reporter	Title	Published	Views	Family All 12
ATTACKERKB	CVE-2022-1605	13 Jun 202213:15	–	attackerkb
CNNVD	WordPress plugin Email Users 跨站请求伪造漏洞	13 Jun 202200:00	–	cnnvd
CNVD	WordPress Email Users plugin cross-site request forgery vulnerability	15 Jun 202200:00	–	cnvd
Cvelist	CVE-2022-1605 Email Users <= 4.8.8 - Arbitrary Settings Update via CSRF	13 Jun 202212:42	–	cvelist
EUVD	EUVD-2022-24894	3 Oct 202520:07	–	euvd
NVD	CVE-2022-1605	13 Jun 202213:15	–	nvd
OSV	CVE-2022-1605	13 Jun 202213:15	–	osv
Patchstack	WordPress Email Users plugin <= 4.8.8 - Arbitrary Settings Update via Cross-Site Request Forgery (CSRF) vulnerability	18 May 202200:00	–	patchstack
Prion	Cross site request forgery (csrf)	13 Jun 202213:15	–	prion
RedhatCVE	CVE-2022-1605	22 May 202523:31	–	redhatcve

NVD

Vulners

Node

email_users_project email_usersRange≤4.8.8wordpress

[
  {
    "product": "Email Users",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThanOrEqual": "4.8.8",
        "status": "affected",
        "version": "4.8.8",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
wpscan	www.wpscan.com/vulnerability/a1b69615-690a-423b-afdf-729dcd32bc2f

Parameter	Position	Path	Description	CWE
page	query param	/wp-admin/admin.php?page=mailusers-user-settings&s&action=notifications_off_email_off&paged=1&user%5B0%5D=1&user%5B1%5D=2&user%5B2%5D=3&action2=notifications_off_email_off	CSRF-prone endpoint for updating notification settings in Email Users WordPress plugin (pre-CVE fix)	CWE-352
s	query param	/wp-admin/admin.php?page=mailusers-user-settings&s&action=notifications_off_email_off&paged=1&user%5B0%5D=1&user%5B1%5D=2&user%5B2%5D=3&action2=notifications_off_email_off	CSRF-prone endpoint for updating notification settings in Email Users WordPress plugin (pre-CVE fix)	CWE-352
action	query param	/wp-admin/admin.php?page=mailusers-user-settings&s&action=notifications_off_email_off&paged=1&user%5B0%5D=1&user%5B1%5D=2&user%5B2%5D=3&action2=notifications_off_email_off	CSRF-prone endpoint for updating notification settings in Email Users WordPress plugin (pre-CVE fix)	CWE-352
paged	query param	/wp-admin/admin.php?page=mailusers-user-settings&s&action=notifications_off_email_off&paged=1&user%5B0%5D=1&user%5B1%5D=2&user%5B2%5D=3&action2=notifications_off_email_off	CSRF-prone endpoint for updating notification settings in Email Users WordPress plugin (pre-CVE fix)	CWE-352
user[0]	query param	/wp-admin/admin.php?page=mailusers-user-settings&s&action=notifications_off_email_off&paged=1&user%5B0%5D=1&user%5B1%5D=2&user%5B2%5D=3&action2=notifications_off_email_off	CSRF-prone endpoint for updating notification settings in Email Users WordPress plugin (pre-CVE fix)	CWE-352
user[1]	query param	/wp-admin/admin.php?page=mailusers-user-settings&s&action=notifications_off_email_off&paged=1&user%5B0%5D=1&user%5B1%5D=2&user%5B2%5D=3&action2=notifications_off_email_off	CSRF-prone endpoint for updating notification settings in Email Users WordPress plugin (pre-CVE fix)	CWE-352
user[2]	query param	/wp-admin/admin.php?page=mailusers-user-settings&s&action=notifications_off_email_off&paged=1&user%5B0%5D=1&user%5B1%5D=2&user%5B2%5D=3&action2=notifications_off_email_off	CSRF-prone endpoint for updating notification settings in Email Users WordPress plugin (pre-CVE fix)	CWE-352
action2	query param	/wp-admin/admin.php?page=mailusers-user-settings&s&action=notifications_off_email_off&paged=1&user%5B0%5D=1&user%5B1%5D=2&user%5B2%5D=3&action2=notifications_off_email_off	CSRF-prone endpoint for updating notification settings in Email Users WordPress plugin (pre-CVE fix)	CWE-352

21 Nov 2024 06:41Current

6.4Medium risk

Vulners AI Score6.4

CVSS 24.3

CVSS 3.16.5

EPSS0.00103

CWE-352