|
[Japanese]
|
JVNDB-2022-000026
|
WordPress Plugin "MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership" vulnerable to cross-site request forgery
|
|
WordPress Plugin "MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership" provided by VideoWhisper contains a cross-site request forgery vulnerability (CWE-352).
Kosuke Sakai reported and coordinated with the developer to fix this vulnerability.
After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning Partnership.
This JVN publication was delayed to 2022/4/15 after the developer's fix was published.
|
|
CVSS V3 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
- Access Vector: Network
- Access Complexity: High
- Authentication: None
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
|
|
|
VideoWhisper.com
- MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership versions prior to 1.9.6
|
|
|
If a user views a malicious page while logged in with the administrative privilege, unintended operations may be performed.
|
|
[Update the plugin]
Update the plugin according to the information provided by the developer.
The developer has released the versions listed below that address the vulnerabilities.
* "MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership" 1.9.6
|
|
VideoWhisper.com
|
|
- Cross-Site Request Forgery(CWE-352) [IPA Evaluation]
|
|
- CVE-2022-27629
|
|
- JVN : JVN#31606885
- National Vulnerability Database (NVD) : CVE-2022-27629
|
|
- [2022/04/15]
Web page was published
- [2024/06/25]
References : Content was added
|
