CVE-2022-4385 : The Intuitive Custom Post Order WordPress plugin before 3.1.4 does not check for

The Intuitive Custom Post Order WordPress plugin before 3.1.4 does not check for authorization in the update-menu-order ajax action, allowing any logged in user (with roles as low as Subscriber) to update the menu order

Published 2023-02-21 09:15:11

Updated 2025-03-12 17:15:37

Source WPScan

View at NVD, CVE.org

Products affected by CVE-2022-4385

Intuitive Custom Post Order Project » Intuitive Custom Post Order » For Wordpress
Versions before (<) 3.1.4
cpe:2.3:a:intuitive_custom_post_order_project:intuitive_custom_post_order:*:*:*:*:*:wordpress:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-4385

EPSS FAQ

0.06%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 17 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-4385

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	2.8	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: None

CWE ids for CVE-2022-4385

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- contact@wpscan.com (Primary)

References for CVE-2022-4385

https://wpscan.com/vulnerability/8f900d37-6eee-4434-8b9b-d10cc4a9167c

Just a moment...
Exploit;Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-4385

Products affected by CVE-2022-4385

Exploit prediction scoring system (EPSS) score for CVE-2022-4385

CVSS scores for CVE-2022-4385

CWE ids for CVE-2022-4385

References for CVE-2022-4385