Lucene search

CVE-2022-3336

🗓️ 21 Nov 2022 11:20:15Reported by WPScanType

cve🔗 web.nvd.nist.gov📰️ 7 Media mentions👁 53 Views🌐 WEB

The Event Monster WordPress plugin before 1.2.0 lacks CSRF check when deleting visitors, potentially enabling CSRF attack to make admin delete arbitrary visitors

5 of 5AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Reporter	Title	Published	Views	Family All 8
Patchstack	WordPress Event Monster plugin <= 1.1.20 - Cross-Site Request Forgery (CSRF) vulnerability	31 Oct 202200:00	–	patchstack
Vulnrichment	CVE-2022-3336 Event Monster < 1.2.0 - Visitors Deletion via CSRF	21 Nov 202200:00	–	vulnrichment
CNVD	WordPress Event Monster Cross-Site Request Forgery Vulnerability	23 Nov 202200:00	–	cnvd
NVD	CVE-2022-3336	21 Nov 202211:15	–	nvd
wpexploit	Event Monster < 1.2.0 - Visitors Deletion via CSRF	31 Oct 202200:00	–	wpexploit
WPVulnDB	Event Monster < 1.2.0 - Visitors Deletion via CSRF	31 Oct 202200:00	–	wpvulndb
Prion	Cross site request forgery (csrf)	21 Nov 202211:15	–	prion
Cvelist	CVE-2022-3336 Event Monster < 1.2.0 - Visitors Deletion via CSRF	21 Nov 202200:00	–	cvelist

Nvd

Vulners

Node

awplife event_monsterRange<1.2.0wordpress

[
  {
    "vendor": "Unknown",
    "product": "Event Monster",
    "collectionURL": "https://wordpress.org/plugins",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "1.2.0"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
wpscan	www.wpscan.com/vulnerability/57bc6633-1aeb-4c20-a2a5-9b3fa10ba95d

Parameter	Position	Path	Description	CWE
action	request body	/wp-admin/edit.php?post_type=awl_event_monster&page=em-visitors-page	The lack of CSRF protection allows attackers to delete arbitrary visitors by exploiting the delete action of logged in admins.	CWE-352, CWE-89
id	request body	/wp-admin/edit.php?post_type=awl_event_monster&page=em-visitors-page	The lack of CSRF protection allows attackers to delete arbitrary visitors by exploiting the delete action of logged in admins.	CWE-352, CWE-89

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo

21 Nov 2022 11:15Current

4.5Medium risk

Vulners AI Score4.5

CVSS34.3

EPSS0.00103

SSVC