Описание
The Customize WordPress Emails and Alerts WordPress plugin before 1.8.7 does not have authorisation and CSRF check in its bnfw_search_users AJAX action, allowing any authenticated users to call it and query for user e-mail prefixes (finding the first letter, then the second one, then the third one etc.).
Ссылки
- ExploitThird Party Advisory
- ExploitThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 1.8.7 (исключая)
cpe:2.3:a:madewithfuel:customize_wordpress_emails_and_alerts:*:*:*:*:*:wordpress:*:*
EPSS
Процентиль: 26%
0.00093
Низкий
4.3 Medium
CVSS3
4 Medium
CVSS2
Дефекты
CWE-352
Связанные уязвимости
CVSS3: 4.3
github
почти 4 года назад
The Customize WordPress Emails and Alerts WordPress plugin before 1.8.7 does not have authorisation and CSRF check in its bnfw_search_users AJAX action, allowing any authenticated users to call it and query for user e-mail prefixes (finding the first letter, then the second one, then the third one etc.).
EPSS
Процентиль: 26%
0.00093
Низкий
4.3 Medium
CVSS3
4 Medium
CVSS2
Дефекты
CWE-352