Server Side Request Forgery (SSRF) vulnerability affecting multiple WordPress plugins
CVE-2022-40700

8.2HIGH

Key Information:

Vendor: Wordpress
Status: Montonio For WooCommerce; WPopal Core Features; Arcstone; Woovirtualwallet – A Virtual Wallet For WooCommerce
Vendor: CVE Published:; 19 January 2024

Summary

A Server-Side Request Forgery (SSRF) vulnerability exists in multiple WordPress and WooCommerce plugins, enabling attackers to send unauthorized requests from the server to internal or external services. This could be exploited to access sensitive information or services that are otherwise protected. The vulnerability impacts various popular plugins, causing potential risks if left unaddressed. Users of affected plugins are urged to update to the latest versions and follow security best practices to mitigate these vulnerabilities.

Affected Version(s)

Admin CSS MU <= 2.6

AMP Toolbox <= 2.1.1

ArcStone <= 4.6.6

References

https://patchstack.com/database/vulnerability/montonio-fo...

vdb-entry

https://patchstack.com/database/vulnerability/wpopal-core...

vdb-entry

https://patchstack.com/database/vulnerability/wp-amo/word...

vdb-entry

EPSS Score

30% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 19, 2024
Vulnerability Reserved
Sep 27, 2022

Credit

Dave Jong (Patchstack)