Syncee – Global Dropshipping < 1.0.10 – Authentication Token Disclosure | CVE 2022-3694

Description

The plugin leaks the administrator token that can be used to take over the administrator's account.

Proof of Concept

The plugin sends a GET request to "/wp-json/syncee/retailer/v1/getDataForFrontend" endpoint to get access token of the administrator. An attacker can use this access token to takeover the administrator's Syncee account via adding new team member.

Affects Plugins

syncee-global-dropshipping

Fixed in 1.0.10

References

CVE

CVE-2022-3694

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CWE-200

CVSS

8.6 (high)

Miscellaneous

Original Researcher

5h4m4n53c

Submitter

5h4m4n53c

Verified

Yes

WPVDB ID

ad12bab7-9baf-4646-a93a-0d3286407c1e

Timeline

Publicly Published

2022-11-28 (about 3 years ago)

Added

2022-11-14 (about 3 years ago)

Last Updated

2022-11-14 (about 3 years ago)

Other

Published

Title

Published

2025-01-17

Title

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin < 2.9.2 - Information Exposure

Published

2025-07-16

Title

JetPopup < 2.0.15.1 - Authenticated (Subscriber+) Information Disclosure

Published

2025-12-26

Title

Project Manager <= 3.0.1 - Authenticated (Subscriber+) Information Exposure

Published

2025-03-07

Title

WP-Recall – Registration, Profile, Commerce & More < 16.26.12 - Authenticated (Contributor+) Protected Post Disclosure

Published

2023-11-24

Title

Prime Mover < 1.9.3 - Directory Listing to Sensitive Data Exposure