CVE-2022-0328

CWE-352 — Cross-Site Request Forgery (CSRF)3 documents3 sources

Severity

4.7MEDIUM

EPSS

0.1%

top 70.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Simple Membership Simple-membership-plugin Simple Membership

Timeline

PublishedFeb 28

Latest updateMar 1

Description

The Simple Membership WordPress plugin before 4.0.9 does not have CSRF check when deleting members in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDsimple-membership-plugin/simple_membership< 4.0.9

▶CVEListV5unknown/simple_membership4.0.9 — 4.0.9

🔴Vulnerability Details

GHSA

GHSA-p8mj-g26x-2rp4: The Simple Membership WordPress plugin before 4↗2022-03-01

▶

CVEList

Simple Membership < 4.0.9 - Arbitrary Member Deletion via CSRF↗2022-02-28

▶