From 759cdf82bdc1e1499b0db001a2c9995de55e22e3 Mon Sep 17 00:00:00 2001 From: MostInterestingBotInTheWorld <98333686+MostInterestingBotInTheWorld@users.noreply.github.com> Date: Fri, 7 Apr 2023 12:16:58 -0400 Subject: [PATCH] Enhancement: cves/2022/CVE-2022-2551.yaml by md --- cves/2022/CVE-2022-2551.yaml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/cves/2022/CVE-2022-2551.yaml b/cves/2022/CVE-2022-2551.yaml index 8a9ec17442..8848dd798f 100644 --- a/cves/2022/CVE-2022-2551.yaml +++ b/cves/2022/CVE-2022-2551.yaml @@ -1,18 +1,18 @@ id: CVE-2022-2551 info: - name: Duplicator < 1.4.7 - Unauthenticated Backup Download + name: WordPress Duplicator <1.4.7 - Authentication Bypass author: LRTK-CODER severity: high description: | - The Duplicator WordPress plugin before 1.4.7 discloses the url of the a backup to unauthenticated visitors accessing the main installer endpoint of the plugin, if the installer script has been run once by an administrator, allowing download of the full site backup without authenticating. + WordPress Duplicator plugin before 1.4.7 is susceptible to authentication bypass. The plugin discloses the URL of the backup to unauthenticated visitors accessing the main installer endpoint. If the installer script has been run once by an administrator, this allows download of the full site backup without proper authentication. reference: - https://wpscan.com/vulnerability/f27d753e-861a-4d8d-9b9a-6c99a8a7ebe0 - https://wordpress.org/plugins/duplicator/ - - https://nvd.nist.gov/vuln/detail/CVE-2022-2551 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2551 - https://github.com/SecuriTrust/CVEsLab/tree/main/CVE-2022-2551 - remediation: Fixed in version 1.4.7.1 + - https://nvd.nist.gov/vuln/detail/CVE-2022-2551 + remediation: Fixed in version 1.4.7.1. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 @@ -45,3 +45,5 @@ requests: - type: status status: - 200 + +# Enhanced by md on 2023/04/07