CVE-2022-3926

🗓️ 05 Dec 2022 16:50:35Reported by WPScanType

cve🔗 web.nvd.nist.gov👁 45 Views🌐 WEB

The WP OAuth Server WordPress plugin before 3.4.2 allows CSRF attacks

Reporter	Title	Published	Views	Family All 11
Circl	CVE-2022-3926	5 Dec 202220:40	–	circl
CNNVD	WordPress plugin WP OAuth Server 跨站请求伪造漏洞	5 Dec 202200:00	–	cnnvd
Cvelist	CVE-2022-3926 WP OAuth Server < 3.4.2 - Client Secret Regeneration via CSRF	5 Dec 202216:50	–	cvelist
EUVD	EUVD-2022-43260	3 Oct 202520:07	–	euvd
NVD	CVE-2022-3926	5 Dec 202217:15	–	nvd
Prion	Cross site request forgery (csrf)	5 Dec 202217:15	–	prion
Positive Technologies	PT-2022-24852 · WordPress · Wp Oauth Server	5 Dec 202200:00	–	ptsecurity
RedhatCVE	CVE-2022-3926	22 May 202523:21	–	redhatcve
Vulnrichment	CVE-2022-3926 WP OAuth Server < 3.4.2 - Client Secret Regeneration via CSRF	5 Dec 202216:50	–	vulnrichment
wpexploit	WP OAuth Server < 3.4.2 - Client Secret Regeneration via CSRF	10 Nov 202200:00	–	wpexploit

NVD

Vulners

Node

wp-oauth wp_oauth_serverRange<3.4.2wordpress

[
  {
    "vendor": "Unknown",
    "product": "WP OAuth Server (OAuth Authentication)",
    "collectionURL": "https://wordpress.org/plugins",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "3.4.2"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
wpscan	www.wpscan.com/vulnerability/e1fcde2a-91a5-40cb-876b-884f01c80336

Parameter	Position	Path	Description	CWE
action	request body	wp-admin/admin-ajax.php	CSRF protection missing when regenerating secrets via admin-ajax.php, enabling logged-in admins to regenerate a client secret by crafting a request with the client ID.	CWE-352
data	request body	wp-admin/admin-ajax.php	CSRF protection missing when regenerating secrets via admin-ajax.php, enabling logged-in admins to regenerate a client secret by crafting a request with the client ID.	CWE-352

23 Apr 2025 16:15Current

6.5Medium risk

Vulners AI Score6.5

CVSS 3.16.5

EPSS0.00078

SSVC

CWE-352