← voltar
CVE-2022-3024

Simple Bitcoin Faucets <= 1.7.0 - Unauthorised AJAX Call to Stored XSS

CVSS 5.4 MEDIUMEPSS 0.2%CWE-352CWE-863
Vexday Risk Score
13Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 5.4EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
26 set 2022Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
The Simple Bitcoin Faucets WordPress plugin through 1.7.0 does not have any authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscribers to call it and add/delete/edit Bonds. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N