CVE-2022-0345

State: PUBLISHED · Published: 2022-02-28 · Updated: 2024-08-02 · Assigner: WPScan

Description

The Customize WordPress Emails and Alerts WordPress plugin before 1.8.7 does not have authorisation and CSRF check in its bnfw_search_users AJAX action, allowing any authenticated users to call it and query for user e-mail prefixes (finding the first letter, then the second one, then the third one etc.).

CWE

(none)

Affected

Unknown / Customize WordPress Emails and Alerts — v=0 <1.8.7 [affected]

CVSS

(none)

References

https://wpscan.com/vulnerability/b3b523b9-6c92-4091-837a-d34e3174eb19 exploit, vdb-entry, technical-description

Source

cvelistV5-main/cves/2022/0xxx/CVE-2022-0345.json