CVE-2022-3911
Last modified
CVE-2022-3911 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. The iubenda WordPress plugin before 3.3.3 does does not have authorisation and CSRF in an AJAX action, and does not ensure that the options to be updated belong to the plugin as long as they are arrays. As a result, any authenticated users, such as subscriber can grant themselves any privileges, such as edit_plugins etc. EPSS estimates a 0.46% chance of exploitation in the next 30 days.
Description
The iubenda WordPress plugin before 3.3.3 does does not have authorisation and CSRF in an AJAX action, and does not ensure that the options to be updated belong to the plugin as long as they are arrays. As a result, any authenticated users, such as subscriber can grant themselves any privileges, such as edit_plugins etc
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Iubenda | Iubenda-Cookie-Law-Solution | < 3.3.3 |
References
- https://wpscan.com/vulnerability/c47fdca8-74ac-48a4-9780-556927fb4e52Exploit, Third Party Advisory
- https://wpscan.com/vulnerability/c47fdca8-74ac-48a4-9780-556927fb4e52Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-3911?
How severe is CVE-2022-3911?
How do I fix CVE-2022-3911?
Are you affected by CVE-2022-3911?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST