exploitDog

CVE-2022-0404

Опубликовано: 04 апр. 2022

Источник: nvd

CVSS3: 6.5

CVSS2: 4

EPSS Низкий

Описание

The Material Design for Contact Form 7 WordPress plugin through 2.6.4 does not check authorization or that the option mentioned in the notice param belongs to the plugin when processing requests to the cf7md_dismiss_notice action, allowing any logged in user (with roles as low as Subscriber) to set arbitrary options to true, potentially leading to Denial of Service by breaking the site.

Ссылки

https://wpscan.com/vulnerability/6d0932bb-d515-4432-b67b-16aba34bd285
Exploit
Third Party Advisory
https://wpscan.com/vulnerability/6d0932bb-d515-4432-b67b-16aba34bd285
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:material_design_for_contact_form_7_project:material_design_for_contact_form_7:*:*:*:*:*:wordpress:*:*

Версия до 2.6.4 (включая)

EPSS

Процентиль: 50%

0.00269

Низкий

6.5 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-862

Связанные уязвимости

GHSA-x9r5-v7qg-53gg

CVSS3: 6.5

github

почти 4 года назад

The Material Design for Contact Form 7 WordPress plugin through 2.6.4 does not check authorization or that the option mentioned in the notice param belongs to the plugin when processing requests to the cf7md_dismiss_notice action, allowing any logged in user (with roles as low as Subscriber) to set arbitrary options to true, potentially leading to Denial of Service by breaking the site.

EPSS

Процентиль: 50%

0.00269

Низкий

6.5 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-862