CVE-2022-0833
MEDIUMChurch Admin WordPress Plugin < 3.4.135 - Unauthenticated Missing Authorization and CSRF via Refresh-Backup Action
Title source: llmDescription
The Church Admin WordPress plugin before 3.4.135 does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repeatedly request the "refresh-backup" action, and simultaneously keep requesting a publicly accessible temporary file generated by the plugin in order to disclose the final backup filename, which can then be fetched by the attacker to download the backup of the plugin's DB data
References (1)
Core 1
Core References
Exploit, Third Party Advisory exploit
vdb-entry
technical-description
https://wpscan.com/vulnerability/b2c7c1e8-d72c-4b1e-b5cb-dc2a6538965d
Scores
CVSS v3
4.3
EPSS
0.0049
EPSS Percentile
38.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Details
CWE
CWE-352
CWE-862
Status
published
Products (1)
church_admin_project/church_admin
< 3.4.135
Published
Mar 28, 2022
Tracked Since
Feb 18, 2026