CVE-2022-3805
published 2022-12-22CVE-2022-3805: The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various functions used to update the plugin settings in versions up to, and…
PriorityP276high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.59%
72.7th percentile
The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various functions used to update the plugin settings in versions up to, and including, 2.5.6. Unauthenticated users can use an easily available nonce, obtained from pages edited by the plugin, to update the MailChimp API key, global styles, 404 page settings, and enabled elements.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jegtheme | jeg_elementor_kit | < 2.5.7 | 2.5.7 |
Detection & IOCsextracted from sources · hover to see the quote
commandjkit-ajax-request=jkit_elements&form_data[mailchimp_api_key]={{rand}}&action=save_user_data&nonce={{nonce}}↗
- →Detect exploitation attempts by monitoring POST requests containing the parameter 'jkit-ajax-request=jkit_elements' combined with 'action=save_user_data' and a 'nonce' field — this is the unauthenticated settings update payload. ↗
- →A successful exploitation response contains the string 'Success Save Data' in a JSON body (Content-Type: application/json) with HTTP 200 — monitor for this response pattern on WordPress sites running the plugin. ↗
- →Attackers first probe for the vulnerable plugin version by fetching /wp-content/plugins/jeg-elementor-kit/readme.txt and checking for 'Stable tag: <2.5.7' — monitor for unauthenticated GET requests to this path. ↗
- →Attackers harvest the nonce from any page containing 'jeg-elementor-kit' by extracting the value of the JavaScript variable 'jkit_nonce' (10 alphanumeric characters) — presence of this variable in page source is a fingerprint for the vulnerable plugin. ↗
- →Use Shodan/FOFA/PublicWWW queries to identify exposed WordPress instances running the vulnerable plugin: search for the string '/wp-content/plugins/jeg-elementor-kit' in HTTP response bodies. ↗
- ·The nonce used to bypass authorization is 'easily available' from any page edited by the plugin — it is not a secret and does not require authentication to obtain, making the bypass trivially exploitable. ↗
- ·The vulnerability affects all versions up to and including 2.5.6; version 2.5.7 contains the fix. Confirm installed version via readme.txt 'Stable tag' field. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vulncheck8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j26m-pwx8-x5jf: The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various functions used to update the plugin settings in versions u
ghsa_unreviewed·2022-12-22
CVE-2022-3805 [HIGH] CWE-639 GHSA-j26m-pwx8-x5jf: The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various functions used to update the plugin settings in versions u
The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various functions used to update the plugin settings in versions up to, and including, 2.5.6. Unauthenticated users can use an easily available nonce, obtained from pages edited by the plugin, to update the MailChimp API key, global styles, 404 page settings, and enabled elements.
VulnCheck
Jeg Elementor Kit Plugin for WordPress MailChimp API Key Vulnerability
vulncheck·2022·CVSS 8.6
CVE-2022-3805 [HIGH] Jeg Elementor Kit Plugin for WordPress MailChimp API Key Vulnerability
Jeg Elementor Kit Plugin for WordPress MailChimp API Key Vulnerability
The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various functions used to update the plugin settings in versions up to, and including, 2.5.6. Unauthenticated users can use an easily available nonce, obtained from pages edited by the plugin, to update the MailChimp API key, global styles, 404 page settings, and enabled elements.
Affected: jegtheme jeg_elementor_kit
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/vulnerability/jeg-elementor-kit/wordpress-jeg-elementor-kit-plugin-2-5-7-unauthenticated-settings-update-vuln
No detection rules found.
Nuclei
Jeg Elementor Kit < 2.5.7 - Unauthenticated Settings Update
nuclei·CVSS 7.5
CVE-2022-3805 [HIGH] Jeg Elementor Kit < 2.5.7 - Unauthenticated Settings Update
Jeg Elementor Kit < 2.5.7 - Unauthenticated Settings Update
The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various functions used to update the plugin settings in versions up to, and including, 2.5.6. Unauthenticated users can use an easily available nonce, obtained from pages edited by the plugin, to update the MailChimp API key, global styles, 404 page settings, and enabled elements.
Template:
id: CVE-2022-3805
info:
name: Jeg Elementor Kit < 2.5.7 - Unauthenticated Settings Update
author: DhiyaneshDk,popcorn94
severity: high
description: |
The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various functions used to update the plugin settings in versions up to, and including, 2.5.6. Unauthenticated users can use an
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2811758%40jeg-elementor-kit%2Ftrunk&old=2810568%40jeg-elementor-kit%2Ftrunk&sfp_email=&sfph_mail=https://wordpress.org/plugins/jeg-elementor-kit/#developershttps://www.wordfence.com/threat-intel/vulnerabilities/id/c9955d65-afb3-4d28-abd2-9f2fec92d013?source=cvehttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2811758%40jeg-elementor-kit%2Ftrunk&old=2810568%40jeg-elementor-kit%2Ftrunk&sfp_email=&sfph_mail=https://wordpress.org/plugins/jeg-elementor-kit/#developershttps://www.wordfence.com/threat-intel/vulnerabilities/id/c9955d65-afb3-4d28-abd2-9f2fec92d013
2022-12-22
Published
Exploited in the wild