CVE-2022-4555

Опубликовано: 16 дек. 2022

Источник: nvd

CVSS3: 6.5

CVSS3: 5.3

EPSS Низкий

Описание

The WP Shamsi plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the deactivate() function hooked via init() in versions up to, and including, 4.1.0. This makes it possible for unauthenticated attackers to deactivate arbitrary plugins on the site. This can be used to deactivate security plugins that aids in exploiting other vulnerabilities.

Ссылки

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2645044%40wp-shamsi&new=2645044%40wp-shamsi&sfp_email=&sfph_mail=
Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/7b498c5a-9fd1-43b8-b456-f6cec65d5077
Third Party Advisory
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2645044%40wp-shamsi&new=2645044%40wp-shamsi&sfp_email=&sfph_mail=
Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/7b498c5a-9fd1-43b8-b456-f6cec65d5077
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:wpvar:wp_shamsi:*:*:*:*:*:wordpress:*:*

Версия до 4.1.1 (исключая)

EPSS

Процентиль: 70%

0.00651

Низкий

6.5 Medium

CVSS3

5.3 Medium

CVSS3

Дефекты

Связанные уязвимости

GHSA-2pq5-28h7-2x78

CVSS3: 5.3

github

около 3 лет назад

EPSS

Процентиль: 70%

0.00651

Низкий

6.5 Medium

CVSS3

5.3 Medium

CVSS3