CVE-2022-0634

low-risk
Published 2022-04-25

The ThirstyAffiliates WordPress plugin before 3.10.5 lacks authorization checks in the ta_insert_external_image action, allowing a low-privilege user (with a role as low as Subscriber) to add an image from an external URL to an affiliate link. Further the plugin lacks csrf checks, allowing an attacker to trick a logged in user to perform the action by crafting a special request.

Do I need to act?

-
0.07% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.3/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Thirstyaffiliates Affiliate Link Manager

Affected Vendors

Caseproof

References (2)

Exploit https://wpscan.com/vulnerability/7e11aeb0-b231-407d-86ec-9018c2c7eee3
Exploit https://wpscan.com/vulnerability/7e11aeb0-b231-407d-86ec-9018c2c7eee3
23
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal