CVE-2022-0363

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions myCred WordPress plugin versions prior to 2.4.3.1

Description The issue concerns the lack of authorization and CSRF checks in the mycred-tools-import-export AJAX action. This allows any authenticated users, such as subscribers, to call the action and import mycred setup, potentially creating badges, managing points, or creating arbitrary posts.

Recommendations For versions prior to 2.4.3.1, update to version 2.4.3.1 or later to resolve the issue. As a temporary workaround, consider disabling the mycred-tools-import-export AJAX action until a patch is available. Restrict access to the mycred-tools-import-export functionality to minimize the risk of exploitation.

Exploit

Fix

Missing Authorization

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862CWE-352

Related Identifiers

CVE-2022-0363

Affected Products

Mycred

CVE-2022-0363

Weakness Enumeration

Related Identifiers

Affected Products

References · 6