CVE-2022-2260

2022-08-0113:15:10

CWE-352

[email protected]

web.nvd.nist.gov

givewp

wordpress plugin

csrf

dos

nvd

cve-2022-2260

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

25.9%

JSON

The GiveWP WordPress plugin before 2.21.3 does not have CSRF in place when exporting data, and does not validate the exporting parameters such as dates, which could allow attackers to make a logged in admin DoS the web server via a CSRF attack as the plugin will try to retrieve data from the database many times which leads to overwhelm the target’s CPU.

Affected configurations

Vulners

NVD

Node

wpmetwp_fundraising_donation_and_crowdfunding_platformRange<2.21.3

VendorProductVersionCPE
wpmetwp_fundraising_donation_and_crowdfunding_platform*cpe:2.3:a:wpmet:wp_fundraising_donation_and_crowdfunding_platform:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
wpmet	wp_fundraising_donation_and_crowdfunding_platform	*	cpe:2.3:a:wpmet:wp_fundraising_donation_and_crowdfunding_platform::::::::

CNA Affected

[
  {
    "product": "GiveWP – Donation Plugin and Fundraising Platform",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "2.21.3",
        "status": "affected",
        "version": "2.21.3",
        "versionType": "custom"
      }
    ]
  }
]