cbcvebase.
CVE-2022-3805
published 2022-12-22

CVE-2022-3805: The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various functions used to update the plugin settings in versions up to, and…

PriorityP276high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.59%
72.7th percentile
The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various functions used to update the plugin settings in versions up to, and including, 2.5.6. Unauthenticated users can use an easily available nonce, obtained from pages edited by the plugin, to update the MailChimp API key, global styles, 404 page settings, and enabled elements.

Affected

1 ranges
VendorProductVersion rangeFixed in
jegthemejeg_elementor_kit< 2.5.72.5.7

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/jeg-elementor-kit/readme.txt
path/wp-content/plugins/jeg-elementor-kit/
commandjkit-ajax-request=jkit_elements&form_data[mailchimp_api_key]={{rand}}&action=save_user_data&nonce={{nonce}}
otherjkit_nonce = "([a-zA-Z0-9]{10})"
otherjkit_ajax_url = "(http[s]?://[^"]+)"
  • Detect exploitation attempts by monitoring POST requests containing the parameter 'jkit-ajax-request=jkit_elements' combined with 'action=save_user_data' and a 'nonce' field — this is the unauthenticated settings update payload.
  • A successful exploitation response contains the string 'Success Save Data' in a JSON body (Content-Type: application/json) with HTTP 200 — monitor for this response pattern on WordPress sites running the plugin.
  • Attackers first probe for the vulnerable plugin version by fetching /wp-content/plugins/jeg-elementor-kit/readme.txt and checking for 'Stable tag: <2.5.7' — monitor for unauthenticated GET requests to this path.
  • Attackers harvest the nonce from any page containing 'jeg-elementor-kit' by extracting the value of the JavaScript variable 'jkit_nonce' (10 alphanumeric characters) — presence of this variable in page source is a fingerprint for the vulnerable plugin.
  • Use Shodan/FOFA/PublicWWW queries to identify exposed WordPress instances running the vulnerable plugin: search for the string '/wp-content/plugins/jeg-elementor-kit' in HTTP response bodies.
  • ·The nonce used to bypass authorization is 'easily available' from any page edited by the plugin — it is not a secret and does not require authentication to obtain, making the bypass trivially exploitable.
  • ·The vulnerability affects all versions up to and including 2.5.6; version 2.5.7 contains the fix. Confirm installed version via readme.txt 'Stable tag' field.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vulncheck8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.