CVE-2022-0345

Name of the Vulnerable Software and Affected Versions The Customize WordPress Emails and Alerts WordPress plugin versions prior to 1.8.7

Description The issue concerns a lack of authorization and CSRF check in the bnfw search users AJAX action. This allows any authenticated users to call the action and query for user e-mail prefixes, effectively finding the first letter, then the second one, then the third one, and so on.

Recommendations For versions prior to 1.8.7, update to version 1.8.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the bnfw search users AJAX action to minimize the risk of exploitation.