Lucene search

[email protected]NVD:CVE-2024-3682

HistoryApr 26, 2024 - 10:15 a.m.

CVE-2024-3682

2024-04-2610:15:11

[email protected]

web.nvd.nist.gov

wordpress

plugin vulnerability

sensitive information exposure

ajaxsendreport function

unauthenticated attackers

log file

system information

license keys

administrator

enable this option

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

The WP STAGING and WP STAGING Pro plugins for WordPress are vulnerable to Sensitive Information Exposure in versions up to, and including, 3.4.3, and versions up to, and including, 5.4.3, respectively, via the ajaxSendReport function. This makes it possible for unauthenticated attackers to extract sensitive data from a log file, including system information and (in the Pro version) license keys. Successful exploitation requires an administrator to have used the ‘Contact Us’ functionality along with the “Enable this option to automatically submit the log files.” option.

References

plugins.trac.wordpress.org/changeset/3076275/wp-staging

wp-staging.com/wp-staging-changelog/

wp-staging.com/wp-staging-pro-changelog/

www.wordfence.com/threat-intel/vulnerabilities/id/75eab54b-dbe0-4440-b4ab-601c5041e180?source=cve

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

Related for NVD:CVE-2024-3682

cve1 cvelist1 wpvulndb1 wordfence1