Lucene search

K
nvd[email protected]NVD:CVE-2022-3677
HistoryDec 05, 2022 - 5:15 p.m.

CVE-2022-3677

2022-12-0517:15:10
web.nvd.nist.gov
4
advanced import wordpress
csrf attacks
arbitrary plugins

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

34.0%

The Advanced Import WordPress plugin before 1.3.8 does not have CSRF check when installing and activating plugins, which could allow attackers to make a logged in admin install arbitrary plugins from WordPress.org, and activate arbitrary ones from the blog via CSRF attacks

Affected configurations

Nvd
Node
addonspressadvanced_importRange<1.3.8wordpress
VendorProductVersionCPE
addonspressadvanced_import*cpe:2.3:a:addonspress:advanced_import:*:*:*:*:*:wordpress:*:*

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

34.0%

Related for NVD:CVE-2022-3677