CVE-2022-3622 - OpenCVE

The Blog2Social plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in versions up to, and including, 6.9.11. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to change some plugin settings intended to be modifiable by admins only.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Adenion	Blog2social

Configuration 1 [-]

cpe:2.3:a:adenion:blog2social:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/blog2social/tags/6.9.10/includes/B2S/Settings/Item.php#L116
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2795052%40blog2social&new=2795052%40blog2social&sfp_email=&sfph_mail=
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2796598%40blog2social&new=2796598%40blog2social&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/f5b8d39c-d307-42c9-a972-29b5521a82a4?source=cve

History

No history.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2023-10-20T07:29:40.331Z

Updated: 2024-09-11T15:54:05.817Z

Reserved: 2022-10-20T19:50:01.410Z

Link: CVE-2022-3622

Vulnrichment

Updated: 2024-08-03T01:14:02.515Z

NVD

Status : Modified

Published: 2023-10-20T08:15:11.847

Modified: 2023-11-07T03:51:31.850

Link: CVE-2022-3622

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-3622", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2022-10-20T19:50:01.410Z", "datePublished": "2023-10-20T07:29:40.331Z", "dateUpdated": "2024-09-11T15:54:05.817Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2023-10-20T07:29:40.331Z"}, "affected": [{"vendor": "pr-gateway", "product": "Blog2Social: Social Media Auto Post & Scheduler", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "6.9.11", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Blog2Social plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in versions up to, and including, 6.9.11. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to change some plugin settings intended to be modifiable by admins only."}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f5b8d39c-d307-42c9-a972-29b5521a82a4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/6.9.10/includes/B2S/Settings/Item.php#L116"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2795052%40blog2social&new=2795052%40blog2social&sfp_email=&sfph_mail="}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2796598%40blog2social&new=2796598%40blog2social&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "baseScore": 4.7, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Marco Wotschka"}], "timeline": [{"time": "2022-09-27T00:00:00.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:14:02.515Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f5b8d39c-d307-42c9-a972-29b5521a82a4?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/6.9.10/includes/B2S/Settings/Item.php#L116", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2795052%40blog2social&new=2795052%40blog2social&sfp_email=&sfph_mail=", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2796598%40blog2social&new=2796598%40blog2social&sfp_email=&sfph_mail=", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-11T15:23:27.737454Z", "id": "CVE-2022-3622", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T15:54:05.817Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f5b8d39c-d307-42c9-a972-29b5521a82a4?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/6.9.10/includes/B2S/Settings/Item.php#L116", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2795052%40blog2social&new=2795052%40blog2social&sfp_email=&sfph_mail=", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2796598%40blog2social&new=2796598%40blog2social&sfp_email=&sfph_mail=", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:14:02.515Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-3622", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-11T15:23:27.737454Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T15:53:59.741Z"}}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "Marco Wotschka"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N"}}], "affected": [{"vendor": "pr-gateway", "product": "Blog2Social: Social Media Auto Post & Scheduler", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "6.9.11"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2022-09-27T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f5b8d39c-d307-42c9-a972-29b5521a82a4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/6.9.10/includes/B2S/Settings/Item.php#L116"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2795052%40blog2social&new=2795052%40blog2social&sfp_email=&sfph_mail="}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2796598%40blog2social&new=2796598%40blog2social&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Blog2Social plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in versions up to, and including, 6.9.11. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to change some plugin settings intended to be modifiable by admins only."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2023-10-20T07:29:40.331Z"}}}, "cveMetadata": {"cveId": "CVE-2022-3622", "state": "PUBLISHED", "dateUpdated": "2024-09-11T15:54:05.817Z", "dateReserved": "2022-10-20T19:50:01.410Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2023-10-20T07:29:40.331Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:adenion:blog2social:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "7536D4D8-8089-406B-9367-A113ACB4796F", "versionEndIncluding": "6.9.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Blog2Social plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in versions up to, and including, 6.9.11. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to change some plugin settings intended to be modifiable by admins only."}, {"lang": "es", "value": "El complemento Blog2Social para WordPress es vulnerable a la omisi\u00f3n de autorizaci\u00f3n debido a la falta de comprobaciones de capacidad en versiones hasta la 6.9.11 incluida. Esto hace posible que los atacantes autenticados, con permisos de nivel de suscriptor y superiores, cambien algunas configuraciones de complementos que solo los administradores pueden modificar."}], "id": "CVE-2022-3622", "lastModified": "2023-11-07T03:51:31.850", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2023-10-20T08:15:11.847", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/6.9.10/includes/B2S/Settings/Item.php#L116"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2795052%40blog2social&new=2795052%40blog2social&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2796598%40blog2social&new=2796598%40blog2social&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f5b8d39c-d307-42c9-a972-29b5521a82a4?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}