CVE-2022-4501

HIGH

Mega Addons for WPBakery Page Builder <= 4.3.0 - Authenticated Authorization Bypass via vc_saving_data Function

Title source: llm
STIX 2.1

Description

The Mega Addons plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the vc_saving_data function in versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to update the plugin's settings.

Scores

CVSS v3 7.1
EPSS 0.0069
EPSS Percentile 48.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (2)
nasir179125/Mega Addons For WPBakery Page Builder < 4.3.0
topdigitaltrends/mega_addons_for_wpbakery_page_builder < 4.2.7
Published Dec 14, 2022
Tracked Since Feb 18, 2026