CVE-2022-2377Cross-Site Request Forgery in Directorist

CWE-352Cross-Site Request ForgeryCWE-862Missing Authorization3 documents3 sources
Severity
4.3MEDIUMNVD
EPSS
0.1%
top 64.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Wpwax Directorist
Timeline
PublishedAug 22
Latest updateAug 23

Description

The Directorist WordPress plugin before 7.3.0 does not have authorisation and CSRF checks in an AJAX action, allowing any authenticated users to send arbitrary emails on behalf of the blog

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

NVDwpwax/directorist< 7.3.0

🔴Vulnerability Details

2
GHSA
GHSA-h4cr-c9r4-6qh4: The Directorist WordPress plugin before 72022-08-23
CVEList
Directorist < 7.3.0 - Subscriber+ Arbitrary E-mail Sending2022-08-22
CVE-2022-2377 — Cross-Site Request Forgery | cvebase