CVE-2022-2312
Last modified
CVE-2022-2312 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. The Student Result or Employee Database WordPress plugin before 1.7.5 does not have CSRF in its AJAX actions, allowing attackers to make logged in user with a role as low as contributor to add/edit and delete students via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site scripting. EPSS estimates a 0.25% chance of exploitation in the next 30 days.
Description
The Student Result or Employee Database WordPress plugin before 1.7.5 does not have CSRF in its AJAX actions, allowing attackers to make logged in user with a role as low as contributor to add/edit and delete students via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site scripting
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Student Result Or Employee Database Project | Student Result Or Employee Database | < 1.7.5 |
References
- https://wpscan.com/vulnerability/7548c1fb-77b5-4290-a297-35820edfe0f8Exploit, Third Party Advisory
- https://wpscan.com/vulnerability/7548c1fb-77b5-4290-a297-35820edfe0f8Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-2312?
How severe is CVE-2022-2312?
How do I fix CVE-2022-2312?
Are you affected by CVE-2022-2312?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST