Vulnerability Details : CVE-2022-1967
The WP Championship WordPress plugin before 9.3 is lacking CSRF checks in various places, allowing attackers to make a logged in admin perform unwanted actions, such as create and delete arbitrary teams as well as update the plugin's settings. Due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues
Vulnerability category: Cross site scripting (XSS)Cross-site request forgery (CSRF)
Exploit prediction scoring system (EPSS) score for CVE-2022-1967
Probability of exploitation activity in the next 30 days: 0.05%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 19 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2022-1967
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
nvd@nist.gov |
|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
2.8
|
3.6
|
nvd@nist.gov |
CWE ids for CVE-2022-1967
-
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Assigned by: contact@wpscan.com (Primary)
References for CVE-2022-1967
-
https://wpscan.com/vulnerability/02d25736-c796-49bd-b774-66e0e3fcf4c9
Attention Required! | CloudflareExploit;Third Party Advisory
Products affected by CVE-2022-1967
- cpe:2.3:a:wp-championship_project:wp-championship:*:*:*:*:*:wordpress:*:*