Lucene search

[email protected]NVD:CVE-2022-1903

HistoryJun 27, 2022 - 9:15 a.m.

CVE-2022-1903

2022-06-2709:15:10

CWE-862

[email protected]

web.nvd.nist.gov

armember

wordpress

plugin

account takeover

password change

unauthenticated users

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.7

Percentile

98.0%

JSON

The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username

Affected configurations

Nvd

Node

armemberpluginarmemberRange<3.4.8wordpress

VendorProductVersionCPE
armemberpluginarmember*cpe:2.3:a:armemberplugin:armember:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
armemberplugin	armember	*	cpe:2.3:a:armemberplugin:armember::::::wordpress::*

References

wpscan.com/vulnerability/28d26aa6-a8db-4c20-9ec7-39821c606a08

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.7

Percentile

98.0%

JSON

Related for NVD:CVE-2022-1903

cnvd1 prion1 nuclei1 patchstack1 cve1 cvelist1 githubexploit1