WP Customer Area < 8.1.4 - Unauthorised Actions via CSRF
CVE-2022-4745

7.1HIGH

Key Information:

Vendor: Wordpress
Status: WP Customer Area
Vendor: CVE Published:; 13 February 2023

Summary

The WP Customer Area plugin for WordPress prior to version 8.1.4 is vulnerable to Cross-Site Request Forgery (CSRF) due to insufficient checks during specific actions such as creating directories, changing file permissions, and copying files. This lack of protection can be exploited by an attacker to trick an authenticated administrator into performing unintended actions, potentially resulting in unauthorized file manipulation and the creation of arbitrary folders within the affected WordPress installation.

Affected Version(s)

WP Customer Area 0 < 8.1.4

References

https://wpscan.com/vulnerability/9703f42e-bdfe-4787-92c9-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Feb 13, 2023
Vulnerability Reserved
Dec 27, 2022

Credit

rezaduty

WPScan