CVE-2022-1092

Name of the Vulnerable Software and Affected Versions myCred WordPress plugin versions prior to 2.4.3.1

Description The issue concerns a lack of authorization and CSRF checks in the mycred-tools-import-export AJAX action. This allows any authenticated user to call the action and retrieve the list of email addresses present in the blog.

Recommendations For versions prior to 2.4.3.1, update to version 2.4.3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the mycred-tools-import-export AJAX action to minimize the risk of exploitation.