CVE-2022-0345

low-risk
Published 2022-02-28

The Customize WordPress Emails and Alerts WordPress plugin before 1.8.7 does not have authorisation and CSRF check in its bnfw_search_users AJAX action, allowing any authenticated users to call it and query for user e-mail prefixes (finding the first letter, then the second one, then the third one etc.).

Do I need to act?

-
0.09% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.3/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Customize Wordpress Emails And Alerts

Affected Vendors

Madewithfuel

References (2)

Exploit https://wpscan.com/vulnerability/b3b523b9-6c92-4091-837a-d34e3174eb19
Exploit https://wpscan.com/vulnerability/b3b523b9-6c92-4091-837a-d34e3174eb19
23
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal