CVE-2022-3883

2022-12-1218:15:11

CWE-863

CWE-352

[email protected]

web.nvd.nist.gov

cve-2022-3883

wordpress

plugin

security

vulnerability

ajax

csrf

wordpress.org

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

20.2%

JSON

The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection WordPress plugin before 7.24 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org

Affected configurations

Vulners

NVD

Node

stopbadbotsblock_bad_bots_and_stop_bad_bots_crawlers_and_spiders_and_anti_spam_protectionRange<7.24

VendorProductVersionCPE
stopbadbotsblock_bad_bots_and_stop_bad_bots_crawlers_and_spiders_and_anti_spam_protection*cpe:2.3:a:stopbadbots:block_bad_bots_and_stop_bad_bots_crawlers_and_spiders_and_anti_spam_protection:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
stopbadbots	block_bad_bots_and_stop_bad_bots_crawlers_and_spiders_and_anti_spam_protection	*	cpe:2.3:a:stopbadbots:block_bad_bots_and_stop_bad_bots_crawlers_and_spiders_and_anti_spam_protection::::::::

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection",
    "collectionURL": "https://wordpress.org/plugins",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "7.24"
      }
    ],
    "defaultStatus": "unaffected"
  }
]