PT-2022-25172 · Twilio · Twilio
Lana Codes
·
Published
2022-12-12
·
Updated
2022-12-15
·
CVE-2022-4004
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Donation Button WordPress plugin versions through 4.0.0
Description
The issue concerns a lack of proper privilege and nonce token checks in the
donation button twilio send test sms AJAX action. This may allow users with an account on the affected site to send SMSes to arbitrary phone numbers using the plugin's Twilio integration.Recommendations
For Donation Button WordPress plugin versions through 4.0.0, consider disabling the
donation button twilio send test sms AJAX action until a patch is available to prevent unauthorized use of the Twilio integration.Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Twilio