CVE-2022-3477

CRITICAL EXPLOITED NUCLEI

Newsmag < 5.2.2 - Unauthenticated Account Takeover via Facebook Login Feature

Title source: llm

Exploitation Summary

CVE-2022-3477 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.

Description

The tagDiv Composer WordPress plugin before 3.5, required by the Newspaper WordPress theme before 12.1 and Newsmag WordPress theme before 5.2.2, does not properly implement the Facebook login feature, allowing unauthenticated attackers to login as any user by just knowing their email address

Nuclei Templates (1)

WordPress tagDiv Composer < 3.5 - Authentication Bypass

CRITICALVERIFIEDby melmathari

References (1)

Core 1

Core References

Exploit, Third Party Advisory

https://wpscan.com/vulnerability/993a95d2-6fce-48de-ae17-06ce2db829ef

Scores

CVSS v3 9.8

EPSS 0.0355

EPSS Percentile 87.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2022-10-24

CWE

CWE-287

Status published

Products (3)

newsmag_project/newsmag < 5.2.2

newspaper_project/newspaper < 12.1

tagdiv_composer_project/tagdiv_composer < 3.5

Published Nov 14, 2022

Tracked Since Feb 18, 2026