Vulnerability-Lookup

CVE-2022-29414 (GCVE-0-2022-29414)

Vulnerability from cvelistv5 – Published: 2022-04-29 16:41 – Updated: 2025-02-20 20:24

Title

WordPress Subscribe To Comments Reloaded plugin <= 211130 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities

Summary

Multiple (13x) Cross-Site Request Forgery (CSRF) vulnerabilities in WPKube's Subscribe To Comments Reloaded plugin <= 211130 on WordPress allows attackers to clean up Log archive, download system info file, plugin system settings, plugin options settings, generate a new key, reset all options, change notifications settings, management page settings, comment form settings, manage subscriptions > mass update settings, manage subscriptions > add a new subscription, update subscription, delete Subscription.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

CWE

CWE-352 - Cross-Site Request Forgery (CSRF)

Assigner

Patchstack

References

URL

Tags

	https://wordpress.org/plugins/subscribe-to-commen…	x_refsource_CONFIRM
	https://patchstack.com/database/vulnerability/sub…	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	WPKube	Subscribe To Comments Reloaded (WordPress plugin)	Affected: <= 211130 , ≤ 211130 (custom)

Credits

Vulnerability discovered by Ex.Mi (Patchstack)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T06:17:55.091Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://wordpress.org/plugins/subscribe-to-comments-reloaded/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://patchstack.com/database/vulnerability/subscribe-to-comments-reloaded/wordpress-subscribe-to-comments-reloaded-plugin-211130-multiple-cross-site-request-forgery-csrf-vulnerabilities"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-29414",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-20T19:30:44.683270Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-20T20:24:02.841Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Subscribe To Comments Reloaded (WordPress plugin)",
          "vendor": "WPKube",
          "versions": [
            {
              "lessThanOrEqual": "211130",
              "status": "affected",
              "version": "\u003c= 211130",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Vulnerability discovered by Ex.Mi (Patchstack)"
        }
      ],
      "datePublic": "2022-04-29T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Multiple (13x) Cross-Site Request Forgery (CSRF) vulnerabilities in WPKube\u0027s Subscribe To Comments Reloaded plugin \u003c= 211130 on WordPress allows attackers to clean up Log archive, download system info file, plugin system settings, plugin options settings, generate a new key, reset all options, change notifications settings, management page settings, comment form settings, manage subscriptions \u003e mass update settings, manage subscriptions \u003e add a new subscription, update subscription, delete Subscription."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-04-29T16:41:11.000Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://wordpress.org/plugins/subscribe-to-comments-reloaded/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://patchstack.com/database/vulnerability/subscribe-to-comments-reloaded/wordpress-subscribe-to-comments-reloaded-plugin-211130-multiple-cross-site-request-forgery-csrf-vulnerabilities"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Update to 220502 or higher version."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "WordPress Subscribe To Comments Reloaded plugin \u003c= 211130 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "audit@patchstack.com",
          "DATE_PUBLIC": "2022-04-29T12:07:00.000Z",
          "ID": "CVE-2022-29414",
          "STATE": "PUBLIC",
          "TITLE": "WordPress Subscribe To Comments Reloaded plugin \u003c= 211130 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Subscribe To Comments Reloaded (WordPress plugin)",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "\u003c= 211130",
                            "version_value": "211130"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "WPKube"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Vulnerability discovered by Ex.Mi (Patchstack)"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Multiple (13x) Cross-Site Request Forgery (CSRF) vulnerabilities in WPKube\u0027s Subscribe To Comments Reloaded plugin \u003c= 211130 on WordPress allows attackers to clean up Log archive, download system info file, plugin system settings, plugin options settings, generate a new key, reset all options, change notifications settings, management page settings, comment form settings, manage subscriptions \u003e mass update settings, manage subscriptions \u003e add a new subscription, update subscription, delete Subscription."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-352 Cross-Site Request Forgery (CSRF)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wordpress.org/plugins/subscribe-to-comments-reloaded/",
              "refsource": "CONFIRM",
              "url": "https://wordpress.org/plugins/subscribe-to-comments-reloaded/"
            },
            {
              "name": "https://patchstack.com/database/vulnerability/subscribe-to-comments-reloaded/wordpress-subscribe-to-comments-reloaded-plugin-211130-multiple-cross-site-request-forgery-csrf-vulnerabilities",
              "refsource": "CONFIRM",
              "url": "https://patchstack.com/database/vulnerability/subscribe-to-comments-reloaded/wordpress-subscribe-to-comments-reloaded-plugin-211130-multiple-cross-site-request-forgery-csrf-vulnerabilities"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Update to 220502 or higher version."
          }
        ],
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2022-29414",
    "datePublished": "2022-04-29T16:41:11.513Z",
    "dateReserved": "2022-04-18T00:00:00.000Z",
    "dateUpdated": "2025-02-20T20:24:02.841Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://wordpress.org/plugins/subscribe-to-comments-reloaded/\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://patchstack.com/database/vulnerability/subscribe-to-comments-reloaded/wordpress-subscribe-to-comments-reloaded-plugin-211130-multiple-cross-site-request-forgery-csrf-vulnerabilities\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T06:17:55.091Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-29414\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-20T19:30:44.683270Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-20T19:30:46.103Z\"}}], \"cna\": {\"title\": \"WordPress Subscribe To Comments Reloaded plugin \u003c= 211130 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"value\": \"Vulnerability discovered by Ex.Mi (Patchstack)\"}], \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"WPKube\", \"product\": \"Subscribe To Comments Reloaded (WordPress plugin)\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 211130\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"211130\"}]}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Update to 220502 or higher version.\"}], \"datePublic\": \"2022-04-29T00:00:00.000Z\", \"references\": [{\"url\": \"https://wordpress.org/plugins/subscribe-to-comments-reloaded/\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://patchstack.com/database/vulnerability/subscribe-to-comments-reloaded/wordpress-subscribe-to-comments-reloaded-plugin-211130-multiple-cross-site-request-forgery-csrf-vulnerabilities\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Multiple (13x) Cross-Site Request Forgery (CSRF) vulnerabilities in WPKube\u0027s Subscribe To Comments Reloaded plugin \u003c= 211130 on WordPress allows attackers to clean up Log archive, download system info file, plugin system settings, plugin options settings, generate a new key, reset all options, change notifications settings, management page settings, comment form settings, manage subscriptions \u003e mass update settings, manage subscriptions \u003e add a new subscription, update subscription, delete Subscription.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-352\", \"description\": \"CWE-352 Cross-Site Request Forgery (CSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"21595511-bba5-4825-b968-b78d1f9984a3\", \"shortName\": \"Patchstack\", \"dateUpdated\": \"2022-04-29T16:41:11.000Z\"}, \"x_legacyV4Record\": {\"credit\": [{\"lang\": \"eng\", \"value\": \"Vulnerability discovered by Ex.Mi (Patchstack)\"}], \"impact\": {\"cvss\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, \"source\": {\"discovery\": \"EXTERNAL\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_name\": \"\u003c= 211130\", \"version_value\": \"211130\", \"version_affected\": \"\u003c=\"}]}, \"product_name\": \"Subscribe To Comments Reloaded (WordPress plugin)\"}]}, \"vendor_name\": \"WPKube\"}]}}, \"solution\": [{\"lang\": \"en\", \"value\": \"Update to 220502 or higher version.\"}], \"data_type\": \"CVE\", \"generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"references\": {\"reference_data\": [{\"url\": \"https://wordpress.org/plugins/subscribe-to-comments-reloaded/\", \"name\": \"https://wordpress.org/plugins/subscribe-to-comments-reloaded/\", \"refsource\": \"CONFIRM\"}, {\"url\": \"https://patchstack.com/database/vulnerability/subscribe-to-comments-reloaded/wordpress-subscribe-to-comments-reloaded-plugin-211130-multiple-cross-site-request-forgery-csrf-vulnerabilities\", \"name\": \"https://patchstack.com/database/vulnerability/subscribe-to-comments-reloaded/wordpress-subscribe-to-comments-reloaded-plugin-211130-multiple-cross-site-request-forgery-csrf-vulnerabilities\", \"refsource\": \"CONFIRM\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"Multiple (13x) Cross-Site Request Forgery (CSRF) vulnerabilities in WPKube\u0027s Subscribe To Comments Reloaded plugin \u003c= 211130 on WordPress allows attackers to clean up Log archive, download system info file, plugin system settings, plugin options settings, generate a new key, reset all options, change notifications settings, management page settings, comment form settings, manage subscriptions \u003e mass update settings, manage subscriptions \u003e add a new subscription, update subscription, delete Subscription.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-352 Cross-Site Request Forgery (CSRF)\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2022-29414\", \"STATE\": \"PUBLIC\", \"TITLE\": \"WordPress Subscribe To Comments Reloaded plugin \u003c= 211130 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities\", \"ASSIGNER\": \"audit@patchstack.com\", \"DATE_PUBLIC\": \"2022-04-29T12:07:00.000Z\"}}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-29414\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-20T20:24:02.841Z\", \"dateReserved\": \"2022-04-18T00:00:00.000Z\", \"assignerOrgId\": \"21595511-bba5-4825-b968-b78d1f9984a3\", \"datePublished\": \"2022-04-29T16:41:11.513Z\", \"assignerShortName\": \"Patchstack\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-G87X-9QG3-CFRP

Vulnerability from github – Published: 2022-04-30 00:00 – Updated: 2022-05-11 00:02

Details

Severity ?

5.4 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-29414"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-29T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Multiple (13x) Cross-Site Request Forgery (CSRF) vulnerabilities in WPKube\u0027s Subscribe To Comments Reloaded plugin \u003c= 211130 on WordPress allows attackers to clean up Log archive, download system info file, plugin system settings, plugin options settings, generate a new key, reset all options, change notifications settings, management page settings, comment form settings, manage subscriptions \u003e mass update settings, manage subscriptions \u003e add a new subscription, update subscription, delete Subscription.",
  "id": "GHSA-g87x-9qg3-cfrp",
  "modified": "2022-05-11T00:02:03Z",
  "published": "2022-04-30T00:00:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29414"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/subscribe-to-comments-reloaded/wordpress-subscribe-to-comments-reloaded-plugin-211130-multiple-cross-site-request-forgery-csrf-vulnerabilities"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/subscribe-to-comments-reloaded"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

CNVD-2022-67558

Vulnerability from cnvd - Published: 2022-10-09

Title

WordPress Subscribe To Comments Reloaded plugin跨站请求伪造漏洞

Description

WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress Subscribe To Comments Reloaded plugin 211130及之前版本存在跨站请求伪造漏洞。攻击者可利用该漏洞伪造恶意请求诱骗受害者点击执行敏感操作，如清理日志档案、下载系统信息文件、插件系统设置、插件选项设置、生成新密钥等。

Severity

中

Patch Name

WordPress Subscribe To Comments Reloaded plugin跨站请求伪造漏洞的补丁

Patch Description

WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress Subscribe To Comments Reloaded plugin 211130版本及之前版本存在跨站请求伪造漏洞。攻击者可利用该漏洞伪造恶意请求诱骗受害者点击执行敏感操作,如清理日志档案、下载系统信息文件、插件系统设置、插件选项设置、生成新密钥等等。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://wordpress.org/plugins/subscribe-to-comments-reloaded/#developers

Reference

https://wordpress.org/plugins/subscribe-to-comments-reloaded/

Impacted products

Name
WordPress Subscribe To Comments Reloaded Plugin <=211130

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-29414",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-29414"
    }
  },
  "description": "WordPress\u548cWordPress plugin\u90fd\u662fWordPress\u57fa\u91d1\u4f1a\u7684\u4ea7\u54c1\u3002WordPress\u662f\u4e00\u5957\u4f7f\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u535a\u5ba2\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u652f\u6301\u5728PHP\u548cMySQL\u7684\u670d\u52a1\u5668\u4e0a\u67b6\u8bbe\u4e2a\u4eba\u535a\u5ba2\u7f51\u7ad9\u3002WordPress plugin\u662f\u4e00\u4e2a\u5e94\u7528\u63d2\u4ef6\u3002\n\nWordPress Subscribe To Comments Reloaded plugin 211130\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4f2a\u9020\u6076\u610f\u8bf7\u6c42\u8bf1\u9a97\u53d7\u5bb3\u8005\u70b9\u51fb\u6267\u884c\u654f\u611f\u64cd\u4f5c\uff0c\u5982\u6e05\u7406\u65e5\u5fd7\u6863\u6848\u3001\u4e0b\u8f7d\u7cfb\u7edf\u4fe1\u606f\u6587\u4ef6\u3001\u63d2\u4ef6\u7cfb\u7edf\u8bbe\u7f6e\u3001\u63d2\u4ef6\u9009\u9879\u8bbe\u7f6e\u3001\u751f\u6210\u65b0\u5bc6\u94a5\u7b49\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://wordpress.org/plugins/subscribe-to-comments-reloaded/#developers",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-67558",
  "openTime": "2022-10-09",
  "patchDescription": "WordPress\u548cWordPress plugin\u90fd\u662fWordPress\u57fa\u91d1\u4f1a\u7684\u4ea7\u54c1\u3002WordPress\u662f\u4e00\u5957\u4f7f\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u535a\u5ba2\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u652f\u6301\u5728PHP\u548cMySQL\u7684\u670d\u52a1\u5668\u4e0a\u67b6\u8bbe\u4e2a\u4eba\u535a\u5ba2\u7f51\u7ad9\u3002WordPress plugin\u662f\u4e00\u4e2a\u5e94\u7528\u63d2\u4ef6\u3002\r\n\r\nWordPress Subscribe To Comments Reloaded plugin 211130\u7248\u672c\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4f2a\u9020\u6076\u610f\u8bf7\u6c42\u8bf1\u9a97\u53d7\u5bb3\u8005\u70b9\u51fb\u6267\u884c\u654f\u611f\u64cd\u4f5c,\u5982\u6e05\u7406\u65e5\u5fd7\u6863\u6848\u3001\u4e0b\u8f7d\u7cfb\u7edf\u4fe1\u606f\u6587\u4ef6\u3001\u63d2\u4ef6\u7cfb\u7edf\u8bbe\u7f6e\u3001\u63d2\u4ef6\u9009\u9879\u8bbe\u7f6e\u3001\u751f\u6210\u65b0\u5bc6\u94a5\u7b49\u7b49\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "WordPress Subscribe To Comments Reloaded plugin\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "WordPress Subscribe To Comments Reloaded Plugin \u003c=211130"
  },
  "referenceLink": "https://wordpress.org/plugins/subscribe-to-comments-reloaded/",
  "serverity": "\u4e2d",
  "submitTime": "2022-05-06",
  "title": "WordPress Subscribe To Comments Reloaded plugin\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e"
}

FKIE_CVE-2022-29414

Vulnerability from fkie_nvd - Published: 2022-04-29 17:15 - Updated: 2024-11-21 06:59

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Summary

References

URL	Tags
audit@patchstack.com	https://patchstack.com/database/vulnerability/subscribe-to-comments-reloaded/wordpress-subscribe-to-comments-reloaded-plugin-211130-multiple-cross-site-request-forgery-csrf-vulnerabilities	Third Party Advisory
audit@patchstack.com	https://wordpress.org/plugins/subscribe-to-comments-reloaded/	Product, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://patchstack.com/database/vulnerability/subscribe-to-comments-reloaded/wordpress-subscribe-to-comments-reloaded-plugin-211130-multiple-cross-site-request-forgery-csrf-vulnerabilities	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://wordpress.org/plugins/subscribe-to-comments-reloaded/	Product, Third Party Advisory

Impacted products

	Vendor	Product	Version
	wpkube	subscribe_to_comments_reloaded	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wpkube:subscribe_to_comments_reloaded:*:*:*:*:*:wordpress:*:*",
              "matchCriteriaId": "DA856E3E-1C38-43F6-AD81-0948EFB924FD",
              "versionEndIncluding": "211130",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Multiple (13x) Cross-Site Request Forgery (CSRF) vulnerabilities in WPKube\u0027s Subscribe To Comments Reloaded plugin \u003c= 211130 on WordPress allows attackers to clean up Log archive, download system info file, plugin system settings, plugin options settings, generate a new key, reset all options, change notifications settings, management page settings, comment form settings, manage subscriptions \u003e mass update settings, manage subscriptions \u003e add a new subscription, update subscription, delete Subscription."
    },
    {
      "lang": "es",
      "value": "M\u00faltiples (13x) vulnerabilidades de tipo Cross-Site Request Forgery (CSRF) en el plugin Subscribe To Comments Reloaded de WPKube versiones anteriores a 211130 incluy\u00e9ndola en WordPress, permite a atacantes limpiar el archivo de registro, descargar el archivo de informaci\u00f3n del sistema, la configuraci\u00f3n del sistema del plugin, la configuraci\u00f3n de las opciones del plugin, generar una nueva clave, restablecer todas las opciones, cambiar la configuraci\u00f3n de las notificaciones, la configuraci\u00f3n de la p\u00e1gina de administraci\u00f3n, la configuraci\u00f3n del formulario de comentarios, administrar las suscripciones ) configuraci\u00f3n de actualizaci\u00f3n masiva, administrar las suscripciones ) a\u00f1adir una nueva suscripci\u00f3n, actualizar la suscripci\u00f3n, eliminar la suscripci\u00f3n"
    }
  ],
  "id": "CVE-2022-29414",
  "lastModified": "2024-11-21T06:59:02.023",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.5,
        "source": "audit@patchstack.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.5,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-04-29T17:15:22.657",
  "references": [
    {
      "source": "audit@patchstack.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://patchstack.com/database/vulnerability/subscribe-to-comments-reloaded/wordpress-subscribe-to-comments-reloaded-plugin-211130-multiple-cross-site-request-forgery-csrf-vulnerabilities"
    },
    {
      "source": "audit@patchstack.com",
      "tags": [
        "Product",
        "Third Party Advisory"
      ],
      "url": "https://wordpress.org/plugins/subscribe-to-comments-reloaded/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://patchstack.com/database/vulnerability/subscribe-to-comments-reloaded/wordpress-subscribe-to-comments-reloaded-plugin-211130-multiple-cross-site-request-forgery-csrf-vulnerabilities"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product",
        "Third Party Advisory"
      ],
      "url": "https://wordpress.org/plugins/subscribe-to-comments-reloaded/"
    }
  ],
  "sourceIdentifier": "audit@patchstack.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "audit@patchstack.com",
      "type": "Secondary"
    }
  ]
}

GSD-2022-29414

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-29414

Aliases

CVE-2022-29414

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-29414",
    "description": "Multiple (13x) Cross-Site Request Forgery (CSRF) vulnerabilities in WPKube\u0027s Subscribe To Comments Reloaded plugin \u003c= 211130 on WordPress allows attackers to clean up Log archive, download system info file, plugin system settings, plugin options settings, generate a new key, reset all options, change notifications settings, management page settings, comment form settings, manage subscriptions \u003e mass update settings, manage subscriptions \u003e add a new subscription, update subscription, delete Subscription.",
    "id": "GSD-2022-29414"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-29414"
      ],
      "details": "Multiple (13x) Cross-Site Request Forgery (CSRF) vulnerabilities in WPKube\u0027s Subscribe To Comments Reloaded plugin \u003c= 211130 on WordPress allows attackers to clean up Log archive, download system info file, plugin system settings, plugin options settings, generate a new key, reset all options, change notifications settings, management page settings, comment form settings, manage subscriptions \u003e mass update settings, manage subscriptions \u003e add a new subscription, update subscription, delete Subscription.",
      "id": "GSD-2022-29414",
      "modified": "2023-12-13T01:19:42.156051Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "audit@patchstack.com",
        "DATE_PUBLIC": "2022-04-29T12:07:00.000Z",
        "ID": "CVE-2022-29414",
        "STATE": "PUBLIC",
        "TITLE": "WordPress Subscribe To Comments Reloaded plugin \u003c= 211130 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Subscribe To Comments Reloaded (WordPress plugin)",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c=",
                          "version_name": "\u003c= 211130",
                          "version_value": "211130"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "WPKube"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "Vulnerability discovered by Ex.Mi (Patchstack)"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Multiple (13x) Cross-Site Request Forgery (CSRF) vulnerabilities in WPKube\u0027s Subscribe To Comments Reloaded plugin \u003c= 211130 on WordPress allows attackers to clean up Log archive, download system info file, plugin system settings, plugin options settings, generate a new key, reset all options, change notifications settings, management page settings, comment form settings, manage subscriptions \u003e mass update settings, manage subscriptions \u003e add a new subscription, update subscription, delete Subscription."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-352 Cross-Site Request Forgery (CSRF)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://wordpress.org/plugins/subscribe-to-comments-reloaded/",
            "refsource": "CONFIRM",
            "url": "https://wordpress.org/plugins/subscribe-to-comments-reloaded/"
          },
          {
            "name": "https://patchstack.com/database/vulnerability/subscribe-to-comments-reloaded/wordpress-subscribe-to-comments-reloaded-plugin-211130-multiple-cross-site-request-forgery-csrf-vulnerabilities",
            "refsource": "CONFIRM",
            "url": "https://patchstack.com/database/vulnerability/subscribe-to-comments-reloaded/wordpress-subscribe-to-comments-reloaded-plugin-211130-multiple-cross-site-request-forgery-csrf-vulnerabilities"
          }
        ]
      },
      "solution": [
        {
          "lang": "eng",
          "value": "Update to 220502 or higher version."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:wpkube:subscribe_to_comments_reloaded:*:*:*:*:*:wordpress:*:*",
                "cpe_name": [],
                "versionEndIncluding": "211130",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "audit@patchstack.com",
          "ID": "CVE-2022-29414"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Multiple (13x) Cross-Site Request Forgery (CSRF) vulnerabilities in WPKube\u0027s Subscribe To Comments Reloaded plugin \u003c= 211130 on WordPress allows attackers to clean up Log archive, download system info file, plugin system settings, plugin options settings, generate a new key, reset all options, change notifications settings, management page settings, comment form settings, manage subscriptions \u003e mass update settings, manage subscriptions \u003e add a new subscription, update subscription, delete Subscription."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-352"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wordpress.org/plugins/subscribe-to-comments-reloaded/",
              "refsource": "CONFIRM",
              "tags": [
                "Product",
                "Third Party Advisory"
              ],
              "url": "https://wordpress.org/plugins/subscribe-to-comments-reloaded/"
            },
            {
              "name": "https://patchstack.com/database/vulnerability/subscribe-to-comments-reloaded/wordpress-subscribe-to-comments-reloaded-plugin-211130-multiple-cross-site-request-forgery-csrf-vulnerabilities",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://patchstack.com/database/vulnerability/subscribe-to-comments-reloaded/wordpress-subscribe-to-comments-reloaded-plugin-211130-multiple-cross-site-request-forgery-csrf-vulnerabilities"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.5
        }
      },
      "lastModifiedDate": "2022-05-10T18:55Z",
      "publishedDate": "2022-04-29T17:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-29414 (GCVE-0-2022-29414)

GHSA-G87X-9QG3-CFRP

CNVD-2022-67558

FKIE_CVE-2022-29414

GSD-2022-29414

Tags

Sightings

Nomenclature