CVE-2022-29414 - OpenCVE

Multiple (13x) Cross-Site Request Forgery (CSRF) vulnerabilities in WPKube's Subscribe To Comments Reloaded plugin <= 211130 on WordPress allows attackers to clean up Log archive, download system info file, plugin system settings, plugin options settings, generate a new key, reset all options, change notifications settings, management page settings, comment form settings, manage subscriptions > mass update settings, manage subscriptions > add a new subscription, update subscription, delete Subscription.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Wpkube	Subscribe To Comments Reloaded

Configuration 1 [-]

cpe:2.3:a:wpkube:subscribe_to_comments_reloaded:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://patchstack.com/database/vulnerability/subscribe-to-comments-reloaded/wordpress-subscribe-to-comments-reloaded-plugin-211130-multiple-cross-site-request-forgery-csrf-vulnerabilities
https://wordpress.org/plugins/subscribe-to-comments-reloaded/

History

No history.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2022-04-29T16:41:11.513929Z

Updated: 2024-09-16T18:18:41.926Z

Reserved: 2022-04-18T00:00:00

Link: CVE-2022-29414

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-04-29T17:15:22.657

Modified: 2022-05-10T18:55:48.337

Link: CVE-2022-29414

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Subscribe To Comments Reloaded (WordPress plugin)", "vendor": "WPKube", "versions": [{"lessThanOrEqual": "211130", "status": "affected", "version": "<= 211130", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Vulnerability discovered by Ex.Mi (Patchstack)"}], "datePublic": "2022-04-29T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple (13x) Cross-Site Request Forgery (CSRF) vulnerabilities in WPKube's Subscribe To Comments Reloaded plugin <= 211130 on WordPress allows attackers to clean up Log archive, download system info file, plugin system settings, plugin options settings, generate a new key, reset all options, change notifications settings, management page settings, comment form settings, manage subscriptions > mass update settings, manage subscriptions > add a new subscription, update subscription, delete Subscription."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-29T16:41:11", "orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://wordpress.org/plugins/subscribe-to-comments-reloaded/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://patchstack.com/database/vulnerability/subscribe-to-comments-reloaded/wordpress-subscribe-to-comments-reloaded-plugin-211130-multiple-cross-site-request-forgery-csrf-vulnerabilities"}], "solutions": [{"lang": "en", "value": "Update to 220502 or higher version."}], "source": {"discovery": "EXTERNAL"}, "title": "WordPress Subscribe To Comments Reloaded plugin <= 211130 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "audit@patchstack.com", "DATE_PUBLIC": "2022-04-29T12:07:00.000Z", "ID": "CVE-2022-29414", "STATE": "PUBLIC", "TITLE": "WordPress Subscribe To Comments Reloaded plugin <= 211130 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Subscribe To Comments Reloaded (WordPress plugin)", "version": {"version_data": [{"version_affected": "<=", "version_name": "<= 211130", "version_value": "211130"}]}}]}, "vendor_name": "WPKube"}]}}, "credit": [{"lang": "eng", "value": "Vulnerability discovered by Ex.Mi (Patchstack)"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple (13x) Cross-Site Request Forgery (CSRF) vulnerabilities in WPKube's Subscribe To Comments Reloaded plugin <= 211130 on WordPress allows attackers to clean up Log archive, download system info file, plugin system settings, plugin options settings, generate a new key, reset all options, change notifications settings, management page settings, comment form settings, manage subscriptions > mass update settings, manage subscriptions > add a new subscription, update subscription, delete Subscription."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}]}, "references": {"reference_data": [{"name": "https://wordpress.org/plugins/subscribe-to-comments-reloaded/", "refsource": "CONFIRM", "url": "https://wordpress.org/plugins/subscribe-to-comments-reloaded/"}, {"name": "https://patchstack.com/database/vulnerability/subscribe-to-comments-reloaded/wordpress-subscribe-to-comments-reloaded-plugin-211130-multiple-cross-site-request-forgery-csrf-vulnerabilities", "refsource": "CONFIRM", "url": "https://patchstack.com/database/vulnerability/subscribe-to-comments-reloaded/wordpress-subscribe-to-comments-reloaded-plugin-211130-multiple-cross-site-request-forgery-csrf-vulnerabilities"}]}, "solution": [{"lang": "en", "value": "Update to 220502 or higher version."}], "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T06:17:55.091Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://wordpress.org/plugins/subscribe-to-comments-reloaded/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://patchstack.com/database/vulnerability/subscribe-to-comments-reloaded/wordpress-subscribe-to-comments-reloaded-plugin-211130-multiple-cross-site-request-forgery-csrf-vulnerabilities"}]}]}, "cveMetadata": {"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "assignerShortName": "Patchstack", "cveId": "CVE-2022-29414", "datePublished": "2022-04-29T16:41:11.513929Z", "dateReserved": "2022-04-18T00:00:00", "dateUpdated": "2024-09-16T18:18:41.926Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wpkube:subscribe_to_comments_reloaded:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "DA856E3E-1C38-43F6-AD81-0948EFB924FD", "versionEndIncluding": "211130", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple (13x) Cross-Site Request Forgery (CSRF) vulnerabilities in WPKube's Subscribe To Comments Reloaded plugin <= 211130 on WordPress allows attackers to clean up Log archive, download system info file, plugin system settings, plugin options settings, generate a new key, reset all options, change notifications settings, management page settings, comment form settings, manage subscriptions > mass update settings, manage subscriptions > add a new subscription, update subscription, delete Subscription."}, {"lang": "es", "value": "M\u00faltiples (13x) vulnerabilidades de tipo Cross-Site Request Forgery (CSRF) en el plugin Subscribe To Comments Reloaded de WPKube versiones anteriores a 211130 incluy\u00e9ndola en WordPress, permite a atacantes limpiar el archivo de registro, descargar el archivo de informaci\u00f3n del sistema, la configuraci\u00f3n del sistema del plugin, la configuraci\u00f3n de las opciones del plugin, generar una nueva clave, restablecer todas las opciones, cambiar la configuraci\u00f3n de las notificaciones, la configuraci\u00f3n de la p\u00e1gina de administraci\u00f3n, la configuraci\u00f3n del formulario de comentarios, administrar las suscripciones ) configuraci\u00f3n de actualizaci\u00f3n masiva, administrar las suscripciones ) a\u00f1adir una nueva suscripci\u00f3n, actualizar la suscripci\u00f3n, eliminar la suscripci\u00f3n"}], "id": "CVE-2022-29414", "lastModified": "2022-05-10T18:55:48.337", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2022-04-29T17:15:22.657", "references": [{"source": "audit@patchstack.com", "tags": ["Third Party Advisory"], "url": "https://patchstack.com/database/vulnerability/subscribe-to-comments-reloaded/wordpress-subscribe-to-comments-reloaded-plugin-211130-multiple-cross-site-request-forgery-csrf-vulnerabilities"}, {"source": "audit@patchstack.com", "tags": ["Product", "Third Party Advisory"], "url": "https://wordpress.org/plugins/subscribe-to-comments-reloaded/"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "audit@patchstack.com", "type": "Primary"}]}