cbcvebase.
CVE-2022-2379
published 2022-08-15

CVE-2022-2379: The Easy Student Results WordPress plugin through 2.2.8 lacks authorisation in its REST API, allowing unauthenticated users to retrieve information related to…

PriorityP353high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
2.80%
84.7th percentile
The Easy Student Results WordPress plugin through 2.2.8 lacks authorisation in its REST API, allowing unauthenticated users to retrieve information related to the courses, exams, departments as well as student's grades and PII such as email address, physical address, phone number etc

Affected

1 ranges
VendorProductVersion rangeFixed in
easy_student_results_projecteasy_student_results<= 2.2.8

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/rps_result/v1/route/student_fields
url/wp-json/rps_result/v1/route/search_student?department_id=1&batch_id=1
  • Unauthenticated GET request to the REST API endpoint /wp-json/rps_result/v1/route/student_fields returns JSON containing 'departments' and 'batches' keys, indicating the vulnerable plugin is present and exploitable.
  • Response body to /wp-json/rps_result/v1/route/student_fields must contain both '"departments":' and 'batches":' to confirm exploitation.
  • Unauthenticated GET request to /wp-json/rps_result/v1/route/search_student?department_id=1&batch_id=1 returns student PII; response body contains 'meta_data', '"name":"', and '"registration_no":' fields.
  • Response body to /wp-json/rps_result/v1/route/search_student must contain 'meta_data', '"name":"', and '"registration_no":' to confirm student data disclosure.
  • Both exploit endpoints must return HTTP 200 with Content-Type header containing 'application/json' to confirm the vulnerability is active.
  • ·The vulnerability affects Easy Student Results plugin versions up to and including 2.2.8; only sites running this version range are exploitable.
  • ·The Nuclei template uses stop-at-first-match, meaning only the first matching endpoint response is confirmed; both endpoints should be tested independently for full coverage.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.