CVE-2022-0833
Last modified
CVE-2022-0833 is a medium-severity vulnerability rated 4.3/10 on the CVSS scale. The Church Admin WordPress plugin before 3.4.135 does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repeatedly request the "refresh-backup" action, and simultaneously keep requesting a publicly accessible temporary file generated by the plugin in order to disclose the final backup filename, which can then be fetched by the attacker to download the backup of the plugin's DB data. EPSS estimates a 0.49% chance of exploitation in the next 30 days.
Description
The Church Admin WordPress plugin before 3.4.135 does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repeatedly request the "refresh-backup" action, and simultaneously keep requesting a publicly accessible temporary file generated by the plugin in order to disclose the final backup filename, which can then be fetched by the attacker to download the backup of the plugin's DB data
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Church Admin Project | Church Admin | < 3.4.135 |
References
- https://wpscan.com/vulnerability/b2c7c1e8-d72c-4b1e-b5cb-dc2a6538965dExploit, Third Party Advisory
- https://wpscan.com/vulnerability/b2c7c1e8-d72c-4b1e-b5cb-dc2a6538965dExploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-0833?
How severe is CVE-2022-0833?
How do I fix CVE-2022-0833?
Are you affected by CVE-2022-0833?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST