CVE-2022-3911

HIGH EXPLOITED

iubenda-cookie-law-solution < 3.3.3 - Authenticated Privilege Escalation via AJAX Action

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2022-3911 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

The iubenda WordPress plugin before 3.3.3 does does not have authorisation and CSRF in an AJAX action, and does not ensure that the options to be updated belong to the plugin as long as they are arrays. As a result, any authenticated users, such as subscriber can grant themselves any privileges, such as edit_plugins etc

References (1)

Core 1
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/c47fdca8-74ac-48a4-9780-556927fb4e52

Scores

CVSS v3 8.8
EPSS 0.0046
EPSS Percentile 36.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

VulnCheck KEV 2023-02-02
CWE
CWE-352 CWE-862
Status published
Products (1)
iubenda/iubenda-cookie-law-solution < 3.3.3
Published Jan 02, 2023
Tracked Since Feb 18, 2026