CVE-2022-2379
published 2022-08-15CVE-2022-2379: The Easy Student Results WordPress plugin through 2.2.8 lacks authorisation in its REST API, allowing unauthenticated users to retrieve information related to…
PriorityP353high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
2.80%
84.7th percentile
The Easy Student Results WordPress plugin through 2.2.8 lacks authorisation in its REST API, allowing unauthenticated users to retrieve information related to the courses, exams, departments as well as student's grades and PII such as email address, physical address, phone number etc
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| easy_student_results_project | easy_student_results | <= 2.2.8 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Unauthenticated GET request to the REST API endpoint /wp-json/rps_result/v1/route/student_fields returns JSON containing 'departments' and 'batches' keys, indicating the vulnerable plugin is present and exploitable. ↗
- →Response body to /wp-json/rps_result/v1/route/student_fields must contain both '"departments":' and 'batches":' to confirm exploitation. ↗
- →Unauthenticated GET request to /wp-json/rps_result/v1/route/search_student?department_id=1&batch_id=1 returns student PII; response body contains 'meta_data', '"name":"', and '"registration_no":' fields. ↗
- →Response body to /wp-json/rps_result/v1/route/search_student must contain 'meta_data', '"name":"', and '"registration_no":' to confirm student data disclosure. ↗
- →Both exploit endpoints must return HTTP 200 with Content-Type header containing 'application/json' to confirm the vulnerability is active. ↗
- ·The vulnerability affects Easy Student Results plugin versions up to and including 2.2.8; only sites running this version range are exploitable. ↗
- ·The Nuclei template uses stop-at-first-match, meaning only the first matching endpoint response is confirmed; both endpoints should be tested independently for full coverage. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WordPress Easy Student Results <=2.2.8 - Improper Authorization
nuclei·CVSS 7.5
CVE-2022-2379 [HIGH] WordPress Easy Student Results <=2.2.8 - Improper Authorization
WordPress Easy Student Results <=2.2.8 - Improper Authorization
WordPress Easy Student Results plugin through 2.2.8 is susceptible to information disclosure. The plugin lacks authorization in its REST API, which can allow an attacker to retrieve sensitive information related to courses, exams, and departments, as well as student grades and information such as email address, physical address, and phone number.
Template:
id: CVE-2022-2379
info:
name: WordPress Easy Student Results <=2.2.8 - Improper Authorization
author: theamanrawat
severity: high
description: |
WordPress Easy Student Results plugin through 2.2.8 is susceptible to information disclosure. The plugin lacks authorization in its REST API, which can allow an attacker to retrieve sensitive information related to courses, exam
No writeups or analysis indexed.
2022-08-15
Published