Lucene search
WPScanCVELIST:CVE-2022-3911HistoryJan 02, 2023 - 9:49 p.m.
CVE-2022-3911 iubenda < 3.3.3 - Subscriber+ Privileges Escalation to Admin
2023-01-0221:49:36
WPScan
www.cve.org
cve-2022-3911
iubenda
wordpress plugin
privileges escalation
authorization
csrf
ajax
authenticated users
subscriber
edit_plugins
The iubenda WordPress plugin before 3.3.3 does does not have authorisation and CSRF in an AJAX action, and does not ensure that the options to be updated belong to the plugin as long as they are arrays. As a result, any authenticated users, such as subscriber can grant themselves any privileges, such as edit_plugins etc
CNA Affected
[
{
"vendor": "Unknown",
"product": "iubenda | All-in-one Compliance for GDPR / CCPA Cookie Consent + more",
"versions": [
{
"status": "affected",
"versionType": "custom",
"version": "0",
"lessThan": "3.3.3"
}
],
"defaultStatus": "unaffected",
"collectionURL": "https://wordpress.org/plugins"
}
]Related
openvas
openvas
wpexploit
wpexploit
iubenda < 3.3.3 - Subscriber+ Privileges Escalation to Admin
2022-12-12 00:00:00
wpvulndb
wpvulndb
iubenda < 3.3.3 - Subscriber+ Privileges Escalation to Admin
2022-12-12 00:00:00
prion
prion
Cross site request forgery (csrf)
2023-01-02 22:15:00
nvd
nvd
CVE-2022-3911
2023-01-02 22:15:15
cve
cve
CVE-2022-3911
2023-01-02 22:15:15