CVE-2022-0833

MEDIUM

Church Admin WordPress Plugin < 3.4.135 - Unauthenticated Missing Authorization and CSRF via Refresh-Backup Action

Title source: llm
STIX 2.1

Description

The Church Admin WordPress plugin before 3.4.135 does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repeatedly request the "refresh-backup" action, and simultaneously keep requesting a publicly accessible temporary file generated by the plugin in order to disclose the final backup filename, which can then be fetched by the attacker to download the backup of the plugin's DB data

References (1)

Core 1
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/b2c7c1e8-d72c-4b1e-b5cb-dc2a6538965d

Scores

CVSS v3 4.3
EPSS 0.0049
EPSS Percentile 38.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Details

CWE
CWE-352 CWE-862
Status published
Products (1)
church_admin_project/church_admin < 3.4.135
Published Mar 28, 2022
Tracked Since Feb 18, 2026