PT-2022-27572 · WordPress · Wp Shamsi
Chloe Chamberland
·
Published
2022-12-16
·
Updated
2022-12-20
·
CVE-2022-4555
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
WP Shamsi plugin for WordPress versions up to, and including, 4.1.0
Description
The WP Shamsi plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the
deactivate() function hooked via init(). This makes it possible for unauthenticated attackers to deactivate arbitrary plugins on the site, which can be used to deactivate security plugins and aid in exploiting other vulnerabilities.Recommendations
For WP Shamsi plugin for WordPress versions up to, and including, 4.1.0, update to a version higher than 4.1.0 to resolve the issue. As a temporary workaround, consider disabling the
deactivate() function until a patch is available. Restrict access to the plugin's functionality to minimize the risk of exploitation.Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wp Shamsi