CVE-2022-0134 — Cross-Site Request Forgery in Anycomment

CWE-352 — Cross-Site Request Forgery4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.4%

top 40.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Bologer Anycomment

Timeline

PublishedFeb 21

Latest updateJan 10

Description

The AnyComment WordPress plugin before 0.2.18 does not have CSRF checks in the Import and Revert HyperComments features, allowing attackers to make logged in admin perform such actions via a CSRF attack

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

▶NVDbologer/anycomment< 0.2.18

🔴Vulnerability Details

GHSA

GHSA-wh4r-2vqj-7php: The AnyComment WordPress plugin before 0↗2022-02-22

▶

CVEList

AnyComment < 0.2.18 - Arbitrary HyperComments Import/Revert via CSRF↗2022-02-21

▶

📋Vendor Advisories

Chrome

Stable Channel Update for Desktop: CVE-2023-0134↗2023-01-10

▶