CVE-2022-0914

CWE-352Cross-Site Request Forgery (CSRF)3 documents3 sources
Severity
6.5MEDIUM
EPSS
0.1%
top 68.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Export ALL UrlsAtlasgondal Export ALL Urls
Timeline
PublishedApr 11
Latest updateApr 12

Description

The Export All URLs WordPress plugin before 4.3 does not have CSRF in place when exporting data, which could allow attackers to make a logged in admin export all posts and pages (including private and draft) into an arbitrary CSV file, which the attacker can then download and retrieve the list of titles for example

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5unknown/export_all_urls4.34.3

🔴Vulnerability Details

2
GHSA
GHSA-22p9-v5cc-5f4w: The Export All URLs WordPress plugin before 42022-04-12
CVEList
Export All URLs < 4.3 - Private/Draft Post/Page Title Disclosure via CSRF2022-04-11
CVE-2022-0914 (MEDIUM CVSS 6.5) | The Export All URLs WordPress plugi | cvebase.io