← back
CVE-2022-4385

Intuitive Custom Post Order < 3.1.4 - Subscriber+ Arbitrary Menu Order Update

EPSS 0.5%CWE-862
Vexday Risk Score
3Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS EPSS 0.5%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
21 Feb 2023Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The Intuitive Custom Post Order WordPress plugin before 3.1.4 does not check for authorization in the update-menu-order ajax action, allowing any logged in user (with roles as low as Subscriber) to update the menu order

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →