CVE-2022-3911
HIGH EXPLOITEDiubenda-cookie-law-solution < 3.3.3 - Authenticated Privilege Escalation via AJAX Action
Title source: llmExploitation Summary
CVE-2022-3911 has been observed exploited in the wild (reported by VulnCheck KEV).
Description
The iubenda WordPress plugin before 3.3.3 does does not have authorisation and CSRF in an AJAX action, and does not ensure that the options to be updated belong to the plugin as long as they are arrays. As a result, any authenticated users, such as subscriber can grant themselves any privileges, such as edit_plugins etc
References (1)
Core 1
Core References
Exploit, Third Party Advisory exploit
vdb-entry
technical-description
https://wpscan.com/vulnerability/c47fdca8-74ac-48a4-9780-556927fb4e52
Scores
CVSS v3
8.8
EPSS
0.0046
EPSS Percentile
36.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
VulnCheck KEV
2023-02-02
CWE
CWE-352
CWE-862
Status
published
Products (1)
iubenda/iubenda-cookie-law-solution
< 3.3.3
Published
Jan 02, 2023
Tracked Since
Feb 18, 2026