CVE-2022-4555
MEDIUMWP Shamsi < 4.1.0 - Unauthenticated Plugin Deactivation via Missing Capability Check
Title source: llmDescription
The WP Shamsi plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the deactivate() function hooked via init() in versions up to, and including, 4.1.0. This makes it possible for unauthenticated attackers to deactivate arbitrary plugins on the site. This can be used to deactivate security plugins that aids in exploiting other vulnerabilities.
References (3)
Core 3
Scores
CVSS v3
6.5
EPSS
0.0066
EPSS Percentile
47.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (2)
wpvar/WP Shamsi – افزونه تاریخ شمسی و فارسی ساز وردپرس
< 4.1.0
wpvar/wp_shamsi
< 4.1.1
Published
Dec 16, 2022
Tracked Since
Feb 18, 2026