Database Backup for WordPress < 2.5.2 - Arbitrary Schedule Settings Update via CSRF
CVE-2022-1577

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Database Backup For WordPress
Vendor: CVE Published:; 8 June 2022

Summary

The Database Backup for WordPress plugin before 2.5.2 does not have CSRF check in place when updating the schedule backup settings, which could allow an attacker to make a logged in admin change them via a CSRF attack. This could lead to cases where attackers can send backup notification emails to themselves, which contain more details. Or disable the automatic backup schedule

Affected Version(s)

Database Backup for WordPress 2.5.2

References

https://wpscan.com/vulnerability/39388900-266d-4308-88e7-...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jun 8, 2022
Vulnerability Reserved
May 4, 2022

Credit

Daniel Ruf