CVE-2022-0681Cross-Site Request Forgery in Simple Membership

CWE-352Cross-Site Request Forgery3 documents3 sources
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 65.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Simple-membership-plugin Simple Membership
Timeline
PublishedMar 21
Latest updateMar 22

Description

The Simple Membership WordPress plugin before 4.1.0 does not have CSRF check in place when deleting Transactions, which could allow attackers to make a logged in admin delete arbitrary transactions via a CSRF attack

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-gg6q-q7vr-vj9g: The Simple Membership WordPress plugin before 42022-03-22
CVEList
Simple Membership < 4.1.0 - Arbitrary Transaction Deletion via CSRF2022-03-21
CVE-2022-0681 — Cross-Site Request Forgery | cvebase