Lucene search
CVE-2022-3907
The Clerk WordPress plugin before 4.0.0 is affected by time-based attacks in the validation function for all API requests
Show more
| Reporter | Title | Published | Views | Family All 6 |
|---|---|---|---|---|
 | CVE-2022-3907 | 5 Dec 202217:15 | – | nvd |
 | Cross site scripting | 5 Dec 202217:15 | – | prion |
 | WordPress Clerk plugin <= 3.8.2 - Auth. Bypass and API Keys Disclosure vulnerability | 10 Nov 202200:00 | – | patchstack |
 | Clerk < 4.0.0 - Authentication Bypass and API Keys Disclosure | 10 Nov 202200:00 | – | wpvulndb |
 | Clerk < 4.0.0 - Authentication Bypass and API Keys Disclosure | 10 Nov 202200:00 | – | wpexploit |
 | CVE-2022-3907 Clerk < 4.0.0 - Authentication Bypass and API Keys Disclosure | 5 Dec 202216:50 | – | cvelist |
[
{
"vendor": "Unknown",
"product": "Clerk",
"versions": [
{
"status": "affected",
"versionType": "custom",
"version": "0",
"lessThan": "4.0.0"
}
],
"defaultStatus": "unaffected",
"collectionURL": "https://wordpress.org/plugins"
}
]| Parameter | Position | Path | Description | CWE |
|---|---|---|---|---|
| key | query param | /wp-json/clerk/getconfig | The endpoint allows API key validation which is vulnerable to time-based attacks due to usage of comparison operators. | CWE-203 |
| private_key | query param | /wp-json/clerk/getconfig | The endpoint allows API key validation which is vulnerable to time-based attacks due to usage of comparison operators. | CWE-203 |
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo05 Dec 2022 17:15Current
7.4High risk
Vulners AI Score7.4
CVSS37.5
EPSS0.0025