CVE Vulnerability

CVE-2022-4555

The WP Shamsi plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the deactivate() function hooked via init() in versions up to, and including, 4.1.0. This makes it possible for unauthenticated attackers to deactivate arbitrary plugins on the site. This can be used to deactivate security plugins that aids in exploiting other vulnerabilities.

5.3 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://www.wordfence.com/threat-intel/vulnerabilities/id/7b498c5a-9fd1-43b8-b456-f6cec65d5077 Third Party Advisory
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2645044%40wp-shamsi&new=2645044%40wp-shamsi&sfp_email=&sfph_mail= Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:wpvar:wp_shamsi:*:*:*:*:*:wordpress:*:*
Information

Published : 2022-12-16 02:15

Updated : 2022-12-20 05:49

NVD link : CVE-2022-4555

Mitre link : CVE-2022-4555

Products Affected
No products.
CWE
CWE-862