CVE-2022-3999

HIGH

DPD Baltic Shipping WordPress Plugin < 1.2.57 - Authenticated Arbitrary Option Deletion via AJAX Action

Title source: llm
STIX 2.1

Description

The DPD Baltic Shipping WordPress plugin before 1.2.57 does not have authorisation and CSRF in an AJAX action, which could allow any authenticated users, such as subscriber to delete arbitrary options from the blog, which could make the blog unavailable.

References (1)

Core 1
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/625ae924-68db-4579-a34f-e6f33aa33643

Scores

CVSS v3 8.1
EPSS 0.0042
EPSS Percentile 34.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-352 CWE-862
Status published
Products (1)
dpdgroup/woocommerce_shipping < 1.2.11
Published Dec 12, 2022
Tracked Since Feb 18, 2026