CVE-2022-0287

Name of the Vulnerable Software and Affected Versions myCred WordPress plugin versions prior to 2.4.4.1

Description The issue affects the myCred WordPress plugin, where the mycred-tools-select-user AJAX action lacks authorization, allowing any authenticated user to retrieve all email addresses from the blog. This can be exploited by any authenticated user, such as a subscriber, to call the action and obtain sensitive information.

Recommendations For versions prior to 2.4.4.1, update to version 2.4.4.1 or later to resolve the issue. As a temporary workaround, consider disabling the mycred-tools-select-user AJAX action until a patch is available. Restrict access to the myCred plugin's functionality to minimize the risk of exploitation.