Vulnerability Details : CVE-2022-40700
Server-Side Request Forgery (SSRF) vulnerability in Montonio Montonio for WooCommerce, Wpopal Wpopal Core Features, AMO for WP – Membership Management ArcStone wp-amo, Long Watch Studio WooVirtualWallet – A virtual wallet for WooCommerce, Long Watch Studio WooVIP – Membership plugin for WordPress and WooCommerce, Long Watch Studio WooSupply – Suppliers, Supply Orders and Stock Management, Squidesma Theme Minifier, Paul Clark Styles styles, Designmodo Inc. WordPress Page Builder – Qards, Philip M. Hofer (Frumph) PHPFreeChat, Arun Basil Lal Custom Login Admin Front-end CSS, Team Agence-Press CSS Adder By Agence-Press, Unihost Confirm Data, deano1987 AMP Toolbox amp-toolbox, Arun Basil Lal Admin CSS MU.This issue affects Montonio for WooCommerce: from n/a through 6.0.1; Wpopal Core Features: from n/a through 1.5.8; ArcStone: from n/a through 4.6.6; WooVirtualWallet – A virtual wallet for WooCommerce: from n/a through 2.2.1; WooVIP – Membership plugin for WordPress and WooCommerce: from n/a through 1.4.4; WooSupply – Suppliers, Supply Orders and Stock Management: from n/a through 1.2.2; Theme Minifier: from n/a through 2.0; Styles: from n/a through 1.2.3; WordPress Page Builder – Qards: from n/a through 1.0.5; PHPFreeChat: from n/a through 0.2.8; Custom Login Admin Front-end CSS: from n/a through 1.4.1; CSS Adder By Agence-Press: from n/a through 1.5.0; Confirm Data: from n/a through 1.0.7; AMP Toolbox: from n/a through 2.1.1; Admin CSS MU: from n/a through 2.6.
Vulnerability category: Server-side request forgery (SSRF)
Products affected by CVE-2022-40700
- cpe:2.3:a:designmodo:qards:*:*:*:*:*:wordpress:*:*
- cpe:2.3:a:wpopal:wpopal_core_features:*:*:*:*:*:wordpress:*:*
- cpe:2.3:a:millionclues:admin_css_mu:*:*:*:*:*:wordpress:*:*
- Millionclues » Custom Login Admin Front-end Css » For WordpressVersions up to, including, (<=) 1.4.1cpe:2.3:a:millionclues:custom_login_admin_front-end_css:*:*:*:*:*:wordpress:*:*
- cpe:2.3:a:deano:amp_toolbox:*:*:*:*:*:wordpress:*:*
- cpe:2.3:a:unihost:confirm_data:*:*:*:*:*:wordpress:*:*
- cpe:2.3:a:agence-press:css_adder:*:*:*:*:*:wordpress:*:*
- cpe:2.3:a:montonio:montonio_for_woocommerce:*:*:*:*:*:wordpress:*:*
- cpe:2.3:a:frumph:phpfreechat:*:*:*:*:*:wordpress:*:*
- cpe:2.3:a:paulclark:styles:*:*:*:*:*:wordpress:*:*
- cpe:2.3:a:squidesma:theme_minifier:*:*:*:*:*:wordpress:*:*
- cpe:2.3:a:longwatchstudio:woosupply:*:*:*:*:*:wordpress:*:*
- cpe:2.3:a:longwatchstudio:woovip:*:*:*:*:*:wordpress:*:*
- cpe:2.3:a:longwatchstudio:woovirtualwallet:*:*:*:*:*:wordpress:*:*
- cpe:2.3:a:arcstone:amo_for_wp_-_membership_management:*:*:*:*:*:wordpress:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-40700
30.33%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-40700
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
3.9
|
4.2
|
Patchstack | 2024-01-19 |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | 2024-01-30 |
CWE ids for CVE-2022-40700
-
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.Assigned by: audit@patchstack.com (Primary)
References for CVE-2022-40700
-
https://patchstack.com/database/vulnerability/montonio-for-woocommerce/wordpress-montonio-for-woocommerce-plugin-6-0-1-server-side-request-forgery-ssrf?_s_id=cve
WordPress Montonio for WooCommerce plugin <= 6.0.1 - Server Side Request Forgery (SSRF) - PatchstackThird Party Advisory
-
https://patchstack.com/database/vulnerability/admin-css-mu/wordpress-admin-css-mu-plugin-2-6-server-side-request-forgery-ssrf-vulnerability?_s_id=cve
WordPress Admin CSS MU plugin <= 2.6 - Server-Side Request Forgery (SSRF) vulnerability - PatchstackThird Party Advisory
-
https://patchstack.com/database/vulnerability/theme-minifier/wordpress-theme-minifier-plugin-2-0-server-side-request-forgery-ssrf?_s_id=cve
WordPress Theme Minifier plugin <= 2.0 - Server Side Request Forgery (SSRF) - PatchstackThird Party Advisory
-
https://patchstack.com/database/vulnerability/woovirtualwallet/wordpress-woovirtualwallet-plugin-2-2-1-server-side-request-forgery-ssrf?_s_id=cve
WordPress WooVirtualWallet plugin <= 2.2.1 - Server Side Request Forgery (SSRF) - PatchstackThird Party Advisory
-
https://patchstack.com/database/vulnerability/confirm-data/wordpress-confirm-data-plugin-1-0-7-unauth-server-side-request-forgery-ssrf-vulnerability?_s_id=cve
WordPress Confirm Data plugin <= 1.0.7 - Unauth. Server-Side Request Forgery (SSRF) vulnerability - PatchstackThird Party Advisory
-
https://patchstack.com/database/vulnerability/qards-free/wordpress-wordpress-page-builder-qards-plugin-1-0-5-server-side-request-forgery-ssrf?_s_id=cve
WordPress WordPress Page Builder - Qards plugin <= 1.0.5 - Server Side Request Forgery (SSRF) - PatchstackThird Party Advisory
-
https://patchstack.com/database/vulnerability/woovip/wordpress-woovip-plugin-1-4-4-server-side-request-forgery-ssrf?_s_id=cve
WordPress WooVIP plugin <= 1.4.4 - Server Side Request Forgery (SSRF) - PatchstackThird Party Advisory
-
https://patchstack.com/database/vulnerability/phpfreechat/wordpress-phpfreechat-plugin-0-2-8-server-side-request-forgery-ssrf?_s_id=cve
WordPress PHPFreeChat plugin <= 0.2.8 - Server Side Request Forgery (SSRF) - PatchstackThird Party Advisory
-
https://patchstack.com/database/vulnerability/custom-login-admin-front-end-css-with-multisite-support/wordpress-custom-login-admin-front-end-css-plugin-1-4-1-server-side-request-forgery-ssrf?_s_id=cve
WordPress Custom Login Admin Front-end CSS plugin <= 1.4.1 - Server Side Request Forgery (SSRF) - PatchstackThird Party Advisory
-
https://patchstack.com/database/vulnerability/css-adder-by-agence-press/wordpress-css-adder-by-agene-press-plugin-1-5-0-server-side-request-forgery-ssrf?_s_id=cve
WordPress CSS Adder By Agene-Press plugin <= 1.5.0 - Server Side Request Forgery (SSRF) - PatchstackThird Party Advisory
-
https://patchstack.com/database/vulnerability/amp-toolbox/wordpress-amp-toolbox-plugin-2-1-1-server-side-request-forgery-ssrf?_s_id=cve
WordPress AMP Toolbox plugin <= 2.1.1 - Server Side Request Forgery (SSRF) - PatchstackThird Party Advisory
-
https://patchstack.com/database/vulnerability/wpopal-core-features/wordpress-wpopal-core-features-plugin-1-5-7-server-side-request-forgery-ssrf?_s_id=cve
WordPress Wpopal Core Features plugin <= 1.5.8 - Server Side Request Forgery (SSRF) - PatchstackThird Party Advisory
-
https://patchstack.com/database/vulnerability/styles/wordpress-styles-plugin-1-2-3-server-side-request-forgery-ssrf?_s_id=cve
WordPress Styles plugin <= 1.2.3 - Server Side Request Forgery (SSRF) - PatchstackThird Party Advisory
-
https://patchstack.com/database/vulnerability/woosupply/wordpress-woosupply-plugin-1-2-2-server-side-request-forgery-ssrf?_s_id=cve
WordPress WooSupply plugin <= 1.2.2 - Server Side Request Forgery (SSRF) - PatchstackThird Party Advisory
-
https://patchstack.com/database/vulnerability/wp-amo/wordpress-amo-for-wp-plugin-4-6-6-server-side-request-forgery-ssrf?_s_id=cve
WordPress AMO for WP plugin <= 4.6.6 - Server Side Request Forgery (SSRF) - PatchstackThird Party Advisory
Jump to