Lucene search

PRIOn knowledge basePRION:CVE-2022-2864

HistoryOct 28, 2022 - 5:15 p.m.

Cross site request forgery (csrf)

2022-10-2817:15:00

PRIOn knowledge base

www.prio-n.com

wordpress

cross-site request forgery

vulnerable

nonce validation

settings

injection

unauthenticated attackers

administrators

8.2 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

60.8%

JSON

The demon image annotation plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.7. This is due to missing nonce validation in the ~/includes/settings.php file. This makes it possible for unauthenticated attackers to modify the plugin’s settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CPENameOperatorVersion
demon_image_annotationlt4.8

CPE	Name	Operator	Version
	demon_image_annotation	lt	4.8

References

plugins.trac.wordpress.org/browser/demon-image-annotation/trunk/includes/settings.php

plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2772352%40demon-image-annotation&new=2772352%40demon-image-annotation&sfp_email=&sfph_mail=

www.wordfence.com/vulnerability-advisories/