CVE-2022-2543 : The Visual Portfolio, Photo Gallery & Post Grid WordPress plugin before 2.18.0 does not have proper authorisation checks

The Visual Portfolio, Photo Gallery & Post Grid WordPress plugin before 2.18.0 does not have proper authorisation checks in some of its REST endpoints, allowing unauthenticated users to call them and inject arbitrary CSS in arbitrary saved layouts

Published 2022-09-05 13:15:08

Updated 2022-09-08 03:47:04

Source WPScan

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2022-2543

Probability of exploitation activity in the next 30 days: 0.10%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 40 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2022-2543

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2022-2543

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Assigned by: contact@wpscan.com (Primary)

References for CVE-2022-2543

https://wpscan.com/vulnerability/5dc8b671-f2fa-47be-8664-9005c4fdbea8

Just a moment...
Exploit;Third Party Advisory

Products affected by CVE-2022-2543

Visualportfolio » Visual Portfolio, Photo Gallery & Post Grid » For Wordpress
Versions before (<) 2.18.0
cpe:2.3:a:visualportfolio:visual_portfolio\,_photo_gallery_\&_post_grid:*:*:*:*:*:wordpress:*:*
Matching versions

Vulnerability Details : CVE-2022-2543

Exploit prediction scoring system (EPSS) score for CVE-2022-2543

CVSS scores for CVE-2022-2543

CWE ids for CVE-2022-2543

References for CVE-2022-2543

Products affected by CVE-2022-2543