CVE-2022-0952

Sitemap by click5 < 1.0.36 - Unauthenticated Arbitrary Options Update

EPSS 13.3%

Vexday Risk Score

23Bajo

Decisión SSVC (CISA)

Attend

PoC disponible → seguir de cerca

CVSS —EPSS 13.3%KEV nãoPoC —Nuclei simMetasploit —Patch —

Ciclo de vida

02 may 2022Publicada en NVD

Recomendación: Planificar corrección próxima — ya existe PoC pública.

The Sitemap by click5 WordPress plugin before 1.0.36 does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. As a result, unauthenticated attackers could change arbitrary blog options, such as the users_can_register and default_role, allowing them to create a new admin account and take over the blog.

Productos afectados

Unknown · Sitemap by click5

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://wpscan.com/vulnerability/0f694961-afab-44f9-846c-e80a0f6c768b