The Donation Button WordPress plugin through 4.0.0 does not properly check for privileges and nonce tokens in its "donation_button_twilio_send_test_sms" AJAX action, which may allow any users with an account on the affected site, like subscribers, to use the plugin's Twilio integration to send SMSes to arbitrary phone numbers.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: WPScan
Published: 2022-12-12T17:54:42.964Z
Updated: 2024-08-03T01:27:54.056Z
Reserved: 2022-11-15T19:26:31.087Z
Link: CVE-2022-4004
Vulnrichment
No data.
NVD
Status : Modified
Published: 2022-12-12T18:15:12.957
Modified: 2023-11-07T03:56:39.550
Link: CVE-2022-4004
Redhat
No data.