Description
Multiple Cross-Site Request Forgery vulnerabilities in All-In-One Security (AIOS) – Security and Firewall (WordPress plugin) <= 5.1.0 on WordPress.
Affected Software
Related
{"id": "CVE-2022-44737", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2022-44737", "description": "Multiple Cross-Site Request Forgery vulnerabilities in All-In-One Security (AIOS) \u2013 Security and Firewall (WordPress plugin) <= 5.1.0 on WordPress.", "published": "2022-11-22T16:15:00", "modified": "2022-11-28T15:05:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-44737", "reporter": "audit@patchstack.com", "references": ["https://patchstack.com/database/vulnerability/all-in-one-wp-security-and-firewall/wordpress-all-in-one-wp-security-plugin-5-1-0-multiple-cross-site-request-forgery-csrf-vulnerabilities?_s_id=cve"], "cvelist": ["CVE-2022-44737"], "immutableFields": [], "lastseen": "2022-11-28T17:30:51", "viewCount": 10, "enchantments": {"score": {"value": 1.9, "vector": "NONE"}, "twitter": {"counter": 7, "tweets": [{"link": "https://twitter.com/threatintelctr/status/1595091445488275458", "text": " NEW: CVE-2022-44737 Multiple Cross-Site Request Forgery vulnerabilities in All-In-One Security (AIOS) \u2013 Security and Firewall (WordPress plugin) <= 5.1.0 on WordPress. https://t.co/voLdrfW1EU", "author": "threatintelctr", "author_photo": "https://pbs.twimg.com/profile_images/904224973987840000/dMy1x9Ho_400x400.jpg"}, {"link": "https://twitter.com/CVEreport/status/1595086009422598145", "text": "CVE-2022-44737 : Multiple Cross-Site Request Forgery vulnerabilities in All-In-One Security AIOS \u2013 Security and Firewall WordPress plugin <= 5.1.0 on WordPress....", "author": "CVEreport", "author_photo": "https://pbs.twimg.com/profile_images/589794568574357505/gwqqrkZn_400x400.png"}, {"link": "https://twitter.com/threatintelctr/status/1597258220652855298", "text": " NEW: CVE-2022-44737 Multiple Cross-Site Request Forgery vulnerabilities in All-In-One Security (AIOS) \u2013 Security and Firewall (WordPress plugin) <= 5.1.0 on WordPress. Severity: HIGH https://t.co/voLdrfW1EU", "author": "threatintelctr", "author_photo": "https://pbs.twimg.com/profile_images/904224973987840000/dMy1x9Ho_400x400.jpg"}, {"link": "https://twitter.com/www_sesin_at/status/1597281834731192322", "text": "New post from https://t.co/9KYxtdZjkl (CVE-2022-44737 (all_in_one_wp_security_&_firewall)) has been published on https://t.co/FzHXfGF0k9", "author": "www_sesin_at", "author_photo": "https://pbs.twimg.com/profile_images/958100963822329858/fb_N8h5n_400x400.jpg"}, {"link": "https://twitter.com/WolfgangSesin/status/1597281832294293504", "text": "New post from https://t.co/uXvPWJy6tj (CVE-2022-44737 (all_in_one_wp_security_&_firewall)) has been published on https://t.co/K8QTi3sy2h", "author": "WolfgangSesin", "author_photo": "https://pbs.twimg.com/profile_images/957011635369054208/Om3jbj7z_400x400.jpg"}]}, "dependencies": {"references": [{"type": "patchstack", "idList": ["PATCHSTACK:9919FE41AAE97CBDC0EF967A5C66655C"]}]}, "affected_software": {"major_version": [{"name": "tipsandtricks-hq all in one wp security \\& firewall", "version": 5}]}, "vulnersScore": 1.9}, "_state": {"score": 1669656680, "dependencies": 1669656662, "twitter": 1669661059, "affected_software_major_version": 1671611801}, "_internal": {"score_hash": "12df91ec14a4f3d7596043700b7db641"}, "cna_cvss": {"cna": "Patchstack", "cvss": {"3": {"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "score": 5.4}}}, "cpe": ["cpe:/a:tipsandtricks-hq:all_in_one_wp_security_\\&_firewall:5.1.0"], "cpe23": ["cpe:2.3:a:tipsandtricks-hq:all_in_one_wp_security_\\&_firewall:5.1.0:*:*:*:*:wordpress:*:*"], "cwe": ["CWE-352"], "affectedSoftware": [{"cpeName": "tipsandtricks-hq:all_in_one_wp_security_\\&_firewall", "version": "5.1.0", "operator": "le", "name": "tipsandtricks-hq all in one wp security \\& firewall"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:tipsandtricks-hq:all_in_one_wp_security_\\&_firewall:5.1.0:*:*:*:*:wordpress:*:*", "versionEndIncluding": "5.1.0", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://patchstack.com/database/vulnerability/all-in-one-wp-security-and-firewall/wordpress-all-in-one-wp-security-plugin-5-1-0-multiple-cross-site-request-forgery-csrf-vulnerabilities?_s_id=cve", "name": "https://patchstack.com/database/vulnerability/all-in-one-wp-security-and-firewall/wordpress-all-in-one-wp-security-plugin-5-1-0-multiple-cross-site-request-forgery-csrf-vulnerabilities?_s_id=cve", "refsource": "MISC", "tags": ["Third Party Advisory"]}]}
{"patchstack": [{"lastseen": "2022-11-22T18:05:50", "description": "Multiple Cross-Site Request Forgery (CSRF) vulnerabilities were discovered by Rafie Muhammad (Patchstack) in the WordPress All In One WP Security plugin (versions <= 5.1.0).\n\n## Solution\n\n\r\n Update the WordPress All In One WP Security & Firewall plugin to the latest available version (at least 5.1.1).\r\n ", "cvss3": {}, "published": "2022-11-22T00:00:00", "type": "patchstack", "title": "WordPress All In One WP Security plugin <= 5.1.0 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-44737"], "modified": "2022-11-22T00:00:00", "id": "PATCHSTACK:9919FE41AAE97CBDC0EF967A5C66655C", "href": "https://patchstack.com/database/vulnerability/all-in-one-wp-security-and-firewall/wordpress-all-in-one-wp-security-plugin-5-1-0-multiple-cross-site-request-forgery-csrf-vulnerabilities", "cvss": {"score": 0.0, "vector": "NONE"}}], "cnvd": [{"lastseen": "2022-12-07T11:22:06", "description": "WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a blogging platform developed using the PHP language. WordPress plugin is an application plugin. WordPress All-In-One Security (AIOS) - Security and Firewall plugin version 5.1.0 and earlier is vulnerable to cross-site request forgery, which is caused by its inability to check random numbers for bulk operations and can be exploited to launch cross-site request forgery attacks.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-11-24T00:00:00", "type": "cnvd", "title": "WordPress All-In-One Security (AIOS) - Security and Firewall plugin cross-site request forgery vulnerability", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-44737"], "modified": "2022-12-07T00:00:00", "id": "CNVD-2022-85531", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-85531", "cvss": {"score": 0.0, "vector": "NONE"}}], "wpvulndb": [{"lastseen": "2022-12-06T02:36:55", "description": "The plugin does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as delete arbitrary blocked IPs) via CSRF attacks\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-11-22T00:00:00", "type": "wpvulndb", "title": "All-In-One Security < 5.1.1 - Bulk Actions via CSRF", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-44737"], "modified": "2022-11-22T21:17:13", "id": "WPVDB-ID:B3E97A48-1EDD-4AA8-B654-F9B8263714E0", "href": "https://wpscan.com/vulnerability/b3e97a48-1edd-4aa8-b654-f9b8263714e0", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}]}
CVE-2022-44737
