CVE-2022-2389

The Abandoned Cart Recovery for WooCommerce, Follow Up Emails, Newsletter Builder & Marketing Automation By Autonami WordPress plugin before 2.1.2 does not have authorisation and CSRF checks in one of its AJAX action, allowing any authenticated users, such as subscriber to create automations

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://wpscan.com/vulnerability/e70f00b7-6251-476e-9297-60af509e6ad9	Exploit Third Party Advisory
https://wpscan.com/vulnerability/e70f00b7-6251-476e-9297-60af509e6ad9	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:funnelkit:funnelkit_automations:*:*:*:*:*:wordpress:*:*

History

21 Nov 2024, 07:00

Type	Values Removed	Values Added
References	~~() https://wpscan.com/vulnerability/e70f00b7-6251-476e-9297-60af509e6ad9 - Exploit, Third Party Advisory~~	() https://wpscan.com/vulnerability/e70f00b7-6251-476e-9297-60af509e6ad9 - Exploit, Third Party Advisory

04 Jan 2024, 15:17

Type	Values Removed	Values Added
CPE	cpe:2.3:a:buildwoofunnels:autonami::::::wordpress::*	cpe:2.3:a:funnelkit:funnelkit_automations::::::wordpress::*
First Time		Funnelkit Funnelkit funnelkit Automations

Information

Published : 2022-08-22 15:15

Updated : 2024-11-21 07:00

NVD link : CVE-2022-2389

Mitre link : CVE-2022-2389

CVE.ORG link : CVE-2022-2389

JSON object : View

Products Affected

funnelkit

funnelkit_automations

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

CWE-862

Missing Authorization

{"id": "CVE-2022-2389", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2022-08-22T15:15:14.953", "references": [{"url": "https://wpscan.com/vulnerability/e70f00b7-6251-476e-9297-60af509e6ad9", "tags": ["Exploit", "Third Party Advisory"], "source": "contact@wpscan.com"}, {"url": "https://wpscan.com/vulnerability/e70f00b7-6251-476e-9297-60af509e6ad9", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "contact@wpscan.com", "description": [{"lang": "en", "value": "CWE-352"}, {"lang": "en", "value": "CWE-862"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}, {"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "The Abandoned Cart Recovery for WooCommerce, Follow Up Emails, Newsletter Builder & Marketing Automation By Autonami WordPress plugin before 2.1.2 does not have authorisation and CSRF checks in one of its AJAX action, allowing any authenticated users, such as subscriber to create automations"}, {"lang": "es", "value": "El plugin Abandoned Cart Recovery for WooCommerce, Follow Up Emails, Newsletter Builder & Marketing Automation By Autonami de WordPress versiones anteriores a 2.1.2, no presenta comprobaciones de autorizaci\u00f3n y CSRF en una de sus acciones AJAX, lo que permite a cualquier usuario autenticado, como el suscriptor, crear automatizaciones"}], "lastModified": "2024-11-21T07:00:53.610", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:funnelkit:funnelkit_automations:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "9D669159-8AFE-45E5-8A09-F12E16E0B690", "versionEndExcluding": "2.1.2"}], "operator": "OR"}]}], "sourceIdentifier": "contact@wpscan.com"}