Vulnerability-Lookup

CVE-2022-3154 (GCVE-0-2022-3154)

Vulnerability from cvelistv5 – Published: 2022-10-10 00:00 – Updated: 2024-08-03 01:00

Title

Multiple Plugins from Viszt Peter - Multiple CSRF

Summary

The Woo Billingo Plus WordPress plugin before 4.4.5.4, Integration for Billingo & Gravity Forms WordPress plugin before 1.0.4, Integration for Szamlazz.hu & Gravity Forms WordPress plugin before 1.2.7 are lacking CSRF checks in various AJAX actions, which could allow attackers to make logged in Shop Managers and above perform unwanted actions, such as deactivate the plugin's license

Severity ?

No CVSS data available.

CWE

CWE-352 - Cross-Site Request Forgery (CSRF)

Assigner

WPScan

References

URL

Tags

https://wpscan.com/vulnerability/cda978b2-b31f-49…

Impacted products

Vendor

Product

Version

TODO

Woo Billingo Plus

Affected: 4.4.5.4 , < 4.4.5.4 (custom)

	TODO	Integration for Billingo & Gravity Forms	Affected: 1.0.4 , < 1.0.4 (custom)
	TODO	Integration for Szamlazz.hu & Gravity Forms	Affected: 1.2.7 , < 1.2.7 (custom)

Credits

Lana Codes

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T01:00:10.538Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://wpscan.com/vulnerability/cda978b2-b31f-495d-8601-0aaa3e4b45cd"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Woo Billingo Plus",
          "vendor": "TODO",
          "versions": [
            {
              "lessThan": "4.4.5.4",
              "status": "affected",
              "version": "4.4.5.4",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Integration for Billingo \u0026 Gravity Forms",
          "vendor": "TODO",
          "versions": [
            {
              "lessThan": "1.0.4",
              "status": "affected",
              "version": "1.0.4",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Integration for Szamlazz.hu \u0026 Gravity Forms",
          "vendor": "TODO",
          "versions": [
            {
              "lessThan": "1.2.7",
              "status": "affected",
              "version": "1.2.7",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Lana Codes"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Woo Billingo Plus WordPress plugin before 4.4.5.4, Integration for Billingo \u0026 Gravity Forms WordPress plugin before 1.0.4, Integration for Szamlazz.hu \u0026 Gravity Forms WordPress plugin before 1.2.7 are lacking CSRF checks in various AJAX actions, which could allow attackers to make logged in Shop Managers and above perform unwanted actions, such as deactivate the plugin\u0027s license"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-10-10T00:00:00",
        "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "shortName": "WPScan"
      },
      "references": [
        {
          "url": "https://wpscan.com/vulnerability/cda978b2-b31f-495d-8601-0aaa3e4b45cd"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Multiple Plugins from Viszt Peter - Multiple CSRF",
      "x_generator": "WPScan CVE Generator"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
    "assignerShortName": "WPScan",
    "cveId": "CVE-2022-3154",
    "datePublished": "2022-10-10T00:00:00",
    "dateReserved": "2022-09-07T00:00:00",
    "dateUpdated": "2024-08-03T01:00:10.538Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:woo_billingo_plus_project:woo_billingo_plus:*:*:*:*:*:wordpress:*:*\", \"versionEndExcluding\": \"4.4.5.4\", \"matchCriteriaId\": \"DB344D27-D79B-4564-8EAC-0267B2586973\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:integration_for_billingo_\\\\\u0026_gravity_forms_project:integration_for_billingo_\\\\\u0026_gravity_forms:*:*:*:*:*:wordpress:*:*\", \"versionEndExcluding\": \"1.0.4\", \"matchCriteriaId\": \"010CF706-3C08-4FDB-A08E-ACC4FFE2F5CA\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:integration_for_szamlazz.hu_\\\\\u0026_gravity_forms_project:integration_for_szamlazz.hu_\\\\\u0026_gravity_forms:*:*:*:*:*:wordpress:*:*\", \"versionEndExcluding\": \"1.2.7\", \"matchCriteriaId\": \"51AA6F7C-B2A6-4FCD-A532-F23843D16B78\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The Woo Billingo Plus WordPress plugin before 4.4.5.4, Integration for Billingo \u0026 Gravity Forms WordPress plugin before 1.0.4, Integration for Szamlazz.hu \u0026 Gravity Forms WordPress plugin before 1.2.7 are lacking CSRF checks in various AJAX actions, which could allow attackers to make logged in Shop Managers and above perform unwanted actions, such as deactivate the plugin\u0027s license\"}, {\"lang\": \"es\", \"value\": \"El plugin Woo Billingo Plus de WordPress versiones anteriores a 4.4.5.4, el plugin Integration for Billingo \u0026amp; Gravity Forms de WordPress versiones anteriores a 1.0.4 y el plugin Integration for Szamlazz.hu \u0026amp; Gravity Forms de WordPress versiones anteriores a 1.2.7 carecen de comprobaciones de tipo CSRF en varias acciones AJAX, lo que podr\\u00eda permitir a atacantes hacer que los administradores de tiendas registrados y superiores lleven a cabo acciones no deseadas, como desactivar la licencia del plugin\"}]",
      "id": "CVE-2022-3154",
      "lastModified": "2024-11-21T07:18:56.397",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L\", \"baseScore\": 7.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 4.2}]}",
      "published": "2022-10-10T21:15:11.510",
      "references": "[{\"url\": \"https://wpscan.com/vulnerability/cda978b2-b31f-495d-8601-0aaa3e4b45cd\", \"source\": \"contact@wpscan.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://wpscan.com/vulnerability/cda978b2-b31f-495d-8601-0aaa3e4b45cd\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "contact@wpscan.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"contact@wpscan.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-352\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-352\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-3154\",\"sourceIdentifier\":\"contact@wpscan.com\",\"published\":\"2022-10-10T21:15:11.510\",\"lastModified\":\"2024-11-21T07:18:56.397\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Woo Billingo Plus WordPress plugin before 4.4.5.4, Integration for Billingo \u0026 Gravity Forms WordPress plugin before 1.0.4, Integration for Szamlazz.hu \u0026 Gravity Forms WordPress plugin before 1.2.7 are lacking CSRF checks in various AJAX actions, which could allow attackers to make logged in Shop Managers and above perform unwanted actions, such as deactivate the plugin\u0027s license\"},{\"lang\":\"es\",\"value\":\"El plugin Woo Billingo Plus de WordPress versiones anteriores a 4.4.5.4, el plugin Integration for Billingo \u0026amp; Gravity Forms de WordPress versiones anteriores a 1.0.4 y el plugin Integration for Szamlazz.hu \u0026amp; Gravity Forms de WordPress versiones anteriores a 1.2.7 carecen de comprobaciones de tipo CSRF en varias acciones AJAX, lo que podr\u00eda permitir a atacantes hacer que los administradores de tiendas registrados y superiores lleven a cabo acciones no deseadas, como desactivar la licencia del plugin\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"contact@wpscan.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:woo_billingo_plus_project:woo_billingo_plus:*:*:*:*:*:wordpress:*:*\",\"versionEndExcluding\":\"4.4.5.4\",\"matchCriteriaId\":\"DB344D27-D79B-4564-8EAC-0267B2586973\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:integration_for_billingo_\\\\\u0026_gravity_forms_project:integration_for_billingo_\\\\\u0026_gravity_forms:*:*:*:*:*:wordpress:*:*\",\"versionEndExcluding\":\"1.0.4\",\"matchCriteriaId\":\"010CF706-3C08-4FDB-A08E-ACC4FFE2F5CA\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:integration_for_szamlazz.hu_\\\\\u0026_gravity_forms_project:integration_for_szamlazz.hu_\\\\\u0026_gravity_forms:*:*:*:*:*:wordpress:*:*\",\"versionEndExcluding\":\"1.2.7\",\"matchCriteriaId\":\"51AA6F7C-B2A6-4FCD-A532-F23843D16B78\"}]}]}],\"references\":[{\"url\":\"https://wpscan.com/vulnerability/cda978b2-b31f-495d-8601-0aaa3e4b45cd\",\"source\":\"contact@wpscan.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://wpscan.com/vulnerability/cda978b2-b31f-495d-8601-0aaa3e4b45cd\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}

GSD-2022-3154

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-3154

Aliases

CVE-2022-3154

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-3154",
    "id": "GSD-2022-3154"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-3154"
      ],
      "details": "The Woo Billingo Plus WordPress plugin before 4.4.5.4, Integration for Billingo \u0026 Gravity Forms WordPress plugin before 1.0.4, Integration for Szamlazz.hu \u0026 Gravity Forms WordPress plugin before 1.2.7 are lacking CSRF checks in various AJAX actions, which could allow attackers to make logged in Shop Managers and above perform unwanted actions, such as deactivate the plugin\u0027s license",
      "id": "GSD-2022-3154",
      "modified": "2023-12-13T01:19:39.953017Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "contact@wpscan.com",
        "ID": "CVE-2022-3154",
        "STATE": "PUBLIC",
        "TITLE": "Multiple Plugins from Viszt Peter - Multiple CSRF"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Woo Billingo Plus",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "4.4.5.4",
                          "version_value": "4.4.5.4"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Integration for Billingo \u0026 Gravity Forms",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "1.0.4",
                          "version_value": "1.0.4"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Integration for Szamlazz.hu \u0026 Gravity Forms",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "1.2.7",
                          "version_value": "1.2.7"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "TODO"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "Lana Codes"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The Woo Billingo Plus WordPress plugin before 4.4.5.4, Integration for Billingo \u0026 Gravity Forms WordPress plugin before 1.0.4, Integration for Szamlazz.hu \u0026 Gravity Forms WordPress plugin before 1.2.7 are lacking CSRF checks in various AJAX actions, which could allow attackers to make logged in Shop Managers and above perform unwanted actions, such as deactivate the plugin\u0027s license"
          }
        ]
      },
      "generator": "WPScan CVE Generator",
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-352 Cross-Site Request Forgery (CSRF)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://wpscan.com/vulnerability/cda978b2-b31f-495d-8601-0aaa3e4b45cd",
            "refsource": "MISC",
            "url": "https://wpscan.com/vulnerability/cda978b2-b31f-495d-8601-0aaa3e4b45cd"
          }
        ]
      },
      "source": {
        "discovery": "EXTERNAL"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:woo_billingo_plus_project:woo_billingo_plus:*:*:*:*:*:wordpress:*:*",
                "cpe_name": [],
                "versionEndExcluding": "4.4.5.4",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:integration_for_billingo_\\\u0026_gravity_forms_project:integration_for_billingo_\\\u0026_gravity_forms:*:*:*:*:*:wordpress:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.0.4",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:integration_for_szamlazz.hu_\\\u0026_gravity_forms_project:integration_for_szamlazz.hu_\\\u0026_gravity_forms:*:*:*:*:*:wordpress:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.2.7",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "contact@wpscan.com",
          "ID": "CVE-2022-3154"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The Woo Billingo Plus WordPress plugin before 4.4.5.4, Integration for Billingo \u0026 Gravity Forms WordPress plugin before 1.0.4, Integration for Szamlazz.hu \u0026 Gravity Forms WordPress plugin before 1.2.7 are lacking CSRF checks in various AJAX actions, which could allow attackers to make logged in Shop Managers and above perform unwanted actions, such as deactivate the plugin\u0027s license"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-352"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wpscan.com/vulnerability/cda978b2-b31f-495d-8601-0aaa3e4b45cd",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://wpscan.com/vulnerability/cda978b2-b31f-495d-8601-0aaa3e4b45cd"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 4.2
        }
      },
      "lastModifiedDate": "2022-10-13T15:19Z",
      "publishedDate": "2022-10-10T21:15Z"
    }
  }
}

GHSA-2CX5-VJFR-G5QR

Vulnerability from github – Published: 2022-10-11 12:00 – Updated: 2022-10-13 19:00

Details

Severity ?

7.1 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-3154"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-10T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "The Woo Billingo Plus WordPress plugin before 4.4.5.4, Integration for Billingo \u0026 Gravity Forms WordPress plugin before 1.0.4, Integration for Szamlazz.hu \u0026 Gravity Forms WordPress plugin before 1.2.7 are lacking CSRF checks in various AJAX actions, which could allow attackers to make logged in Shop Managers and above perform unwanted actions, such as deactivate the plugin\u0027s license",
  "id": "GHSA-2cx5-vjfr-g5qr",
  "modified": "2022-10-13T19:00:21Z",
  "published": "2022-10-11T12:00:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3154"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/cda978b2-b31f-495d-8601-0aaa3e4b45cd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

CNVD-2022-87360

Vulnerability from cnvd - Published: 2022-12-14

Title

WordPress Woo Billingo Plus and Integration for Billingo ＆ Gravity Forms跨站请求伪造漏洞

Description

WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress Woo Billingo Plus 4.4.5.4之前版本、Integration for Billingo ＆ Gravity Forms 1.0.4之前版本、Integration for Szamlazz.hu & Gravity Forms 1.2.7之前版本存在跨站请求伪造漏洞，该漏洞源于其在各种AJAX操作中缺乏对于跨站请求伪造的检查，攻击者可利用漏洞使已登录的Shop Managers及其以上执行非想要的操作。

Severity

高

Patch Name

WordPress Woo Billingo Plus and Integration for Billingo ＆ Gravity Forms跨站请求伪造漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://wpscan.com/vulnerability/cda978b2-b31f-495d-8601-0aaa3e4b45cd

Reference

https://wpscan.com/vulnerability/cda978b2-b31f-495d-8601-0aaa3e4b45cd

Impacted products

Name
['WordPress Woo Billingo Plus <4.4.5.4', 'WordPress Integration for Billingo ＆ Gravity Forms <1.0.4', 'WordPress Integration for Szamlazz.hu & Gravity Forms <1.2.7']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-3154",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-3154"
    }
  },
  "description": "WordPress\u548cWordPress plugin\u90fd\u662fWordPress\u57fa\u91d1\u4f1a\u7684\u4ea7\u54c1\u3002WordPress\u662f\u4e00\u5957\u4f7f\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u535a\u5ba2\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u652f\u6301\u5728PHP\u548cMySQL\u7684\u670d\u52a1\u5668\u4e0a\u67b6\u8bbe\u4e2a\u4eba\u535a\u5ba2\u7f51\u7ad9\u3002WordPress plugin\u662f\u4e00\u4e2a\u5e94\u7528\u63d2\u4ef6\u3002\n\nWordPress Woo Billingo Plus 4.4.5.4\u4e4b\u524d\u7248\u672c\u3001Integration for Billingo \uff06 Gravity Forms 1.0.4\u4e4b\u524d\u7248\u672c\u3001Integration for Szamlazz.hu \u0026 Gravity Forms 1.2.7\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5176\u5728\u5404\u79cdAJAX\u64cd\u4f5c\u4e2d\u7f3a\u4e4f\u5bf9\u4e8e\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u7684\u68c0\u67e5\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u4f7f\u5df2\u767b\u5f55\u7684Shop Managers\u53ca\u5176\u4ee5\u4e0a\u6267\u884c\u975e\u60f3\u8981\u7684\u64cd\u4f5c\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://wpscan.com/vulnerability/cda978b2-b31f-495d-8601-0aaa3e4b45cd",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-87360",
  "openTime": "2022-12-14",
  "patchDescription": "WordPress\u548cWordPress plugin\u90fd\u662fWordPress\u57fa\u91d1\u4f1a\u7684\u4ea7\u54c1\u3002WordPress\u662f\u4e00\u5957\u4f7f\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u535a\u5ba2\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u652f\u6301\u5728PHP\u548cMySQL\u7684\u670d\u52a1\u5668\u4e0a\u67b6\u8bbe\u4e2a\u4eba\u535a\u5ba2\u7f51\u7ad9\u3002WordPress plugin\u662f\u4e00\u4e2a\u5e94\u7528\u63d2\u4ef6\u3002\r\n\r\nWordPress Woo Billingo Plus 4.4.5.4\u4e4b\u524d\u7248\u672c\u3001Integration for Billingo \uff06 Gravity Forms 1.0.4\u4e4b\u524d\u7248\u672c\u3001Integration for Szamlazz.hu \u0026 Gravity Forms 1.2.7\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5176\u5728\u5404\u79cdAJAX\u64cd\u4f5c\u4e2d\u7f3a\u4e4f\u5bf9\u4e8e\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u7684\u68c0\u67e5\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u4f7f\u5df2\u767b\u5f55\u7684Shop Managers\u53ca\u5176\u4ee5\u4e0a\u6267\u884c\u975e\u60f3\u8981\u7684\u64cd\u4f5c\u3002",
  "patchName": "WordPress Woo Billingo Plus and Integration for Billingo \uff06 Gravity Forms\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "WordPress Woo Billingo Plus \u003c4.4.5.4",
      "WordPress Integration for Billingo \uff06 Gravity Forms \u003c1.0.4",
      "WordPress Integration for Szamlazz.hu \u0026 Gravity Forms \u003c1.2.7"
    ]
  },
  "referenceLink": "https://wpscan.com/vulnerability/cda978b2-b31f-495d-8601-0aaa3e4b45cd",
  "serverity": "\u9ad8",
  "submitTime": "2022-10-12",
  "title": "WordPress Woo Billingo Plus and Integration for Billingo \uff06 Gravity Forms\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e"
}

FKIE_CVE-2022-3154

Vulnerability from fkie_nvd - Published: 2022-10-10 21:15 - Updated: 2024-11-21 07:18

Severity ?

7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L

Summary

References

	URL	Tags
	contact@wpscan.com	https://wpscan.com/vulnerability/cda978b2-b31f-495d-8601-0aaa3e4b45cd	Exploit, Third Party Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://wpscan.com/vulnerability/cda978b2-b31f-495d-8601-0aaa3e4b45cd	Exploit, Third Party Advisory

Impacted products

Vendor	Product	Version
woo_billingo_plus_project	woo_billingo_plus	*
integration_for_billingo_\&_gravity_forms_project	integration_for_billingo_\&_gravity_forms	*
integration_for_szamlazz.hu_\&_gravity_forms_project	integration_for_szamlazz.hu_\&_gravity_forms	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:woo_billingo_plus_project:woo_billingo_plus:*:*:*:*:*:wordpress:*:*",
              "matchCriteriaId": "DB344D27-D79B-4564-8EAC-0267B2586973",
              "versionEndExcluding": "4.4.5.4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:integration_for_billingo_\\\u0026_gravity_forms_project:integration_for_billingo_\\\u0026_gravity_forms:*:*:*:*:*:wordpress:*:*",
              "matchCriteriaId": "010CF706-3C08-4FDB-A08E-ACC4FFE2F5CA",
              "versionEndExcluding": "1.0.4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:integration_for_szamlazz.hu_\\\u0026_gravity_forms_project:integration_for_szamlazz.hu_\\\u0026_gravity_forms:*:*:*:*:*:wordpress:*:*",
              "matchCriteriaId": "51AA6F7C-B2A6-4FCD-A532-F23843D16B78",
              "versionEndExcluding": "1.2.7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Woo Billingo Plus WordPress plugin before 4.4.5.4, Integration for Billingo \u0026 Gravity Forms WordPress plugin before 1.0.4, Integration for Szamlazz.hu \u0026 Gravity Forms WordPress plugin before 1.2.7 are lacking CSRF checks in various AJAX actions, which could allow attackers to make logged in Shop Managers and above perform unwanted actions, such as deactivate the plugin\u0027s license"
    },
    {
      "lang": "es",
      "value": "El plugin Woo Billingo Plus de WordPress versiones anteriores a 4.4.5.4, el plugin Integration for Billingo \u0026amp; Gravity Forms de WordPress versiones anteriores a 1.0.4 y el plugin Integration for Szamlazz.hu \u0026amp; Gravity Forms de WordPress versiones anteriores a 1.2.7 carecen de comprobaciones de tipo CSRF en varias acciones AJAX, lo que podr\u00eda permitir a atacantes hacer que los administradores de tiendas registrados y superiores lleven a cabo acciones no deseadas, como desactivar la licencia del plugin"
    }
  ],
  "id": "CVE-2022-3154",
  "lastModified": "2024-11-21T07:18:56.397",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-10-10T21:15:11.510",
  "references": [
    {
      "source": "contact@wpscan.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://wpscan.com/vulnerability/cda978b2-b31f-495d-8601-0aaa3e4b45cd"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://wpscan.com/vulnerability/cda978b2-b31f-495d-8601-0aaa3e4b45cd"
    }
  ],
  "sourceIdentifier": "contact@wpscan.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "contact@wpscan.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-3154 (GCVE-0-2022-3154)

GSD-2022-3154

GHSA-2CX5-VJFR-G5QR

CNVD-2022-87360

FKIE_CVE-2022-3154

Tags

Sightings

Nomenclature