CVE-2022-3930 — Authorization Bypass Through User-Controlled Key in Directorist

CWE-639 — Authorization Bypass Through User-Controlled Key3 documents3 sources
Severity
6.5MEDIUMNVD
EPSS
0.3%
top 44.91%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Wpwax Directorist
Timeline
PublishedDec 12

Description

The Directorist WordPress plugin before 7.4.2.2 suffers from an IDOR vulnerability which an attacker can exploit to change the password of arbitrary users instead of his own.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

â–¶NVDwpwax/directorist< 7.4.2.2

🔴Vulnerability Details

2
GHSA
GHSA-xv2w-x5xm-9j74: The Directorist WordPress plugin before 7↗2022-12-12
â–¶
CVEList
Directorist < 7.4.2.2 - Subscriber+ Arbitrary User Password Update via IDOR↗2022-12-12
â–¶
CVE-2022-3930 — Wpwax Directorist vulnerability | cvebase