Lucene search
WPScanCVELIST:CVE-2022-0833HistoryMar 28, 2022 - 5:23 p.m.
CVE-2022-0833 Church Admin < 3.4.135 - Unauthenticated Plugin's Backup Disclosure
2022-03-2817:23:26
WPScan
www.cve.org
1
cve-2022-0833
church admin
wordpress plugin
unauthenticated
backup disclosure
csrf
authorization
attackers
temporary file
plugin's db data
The Church Admin WordPress plugin before 3.4.135 does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repeatedly request the “refresh-backup” action, and simultaneously keep requesting a publicly accessible temporary file generated by the plugin in order to disclose the final backup filename, which can then be fetched by the attacker to download the backup of the plugin’s DB data
CNA Affected
[
{
"vendor": "Unknown",
"product": "Church Admin",
"versions": [
{
"status": "affected",
"versionType": "custom",
"version": "0",
"lessThan": "3.4.135"
}
],
"defaultStatus": "unaffected",
"collectionURL": "https://wordpress.org/plugins"
}
]Related
patchstack
patchstack
wpvulndb
wpvulndb
Church Admin < 3.4.135 - Unauthenticated Plugin's Backup Disclosure
2022-03-07 00:00:00
wpexploit
wpexploit
Church Admin < 3.4.135 - Unauthenticated Plugin's Backup Disclosure
2022-03-07 00:00:00
cve
cve
CVE-2022-0833
2022-03-28 18:15:09
prion
prion
Cross site request forgery (csrf)
2022-03-28 18:15:00
nvd
nvd
CVE-2022-0833
2022-03-28 18:15:09