CVE-2022-0345 – Better Notifications for WP < 1.8.7 - Email Address Disclosure

https://notcve.org/view.php?id=CVE-2022-0345

31 Jan 2022 — The Customize WordPress Emails and Alerts WordPress plugin before 1.8.7 does not have authorisation and CSRF check in its bnfw_search_users AJAX action, allowing any authenticated users to call it and query for user e-mail prefixes (finding the first letter, then the second one, then the third one etc.). El plugin Customize WordPress Emails and Alerts de WordPress versiones anteriores a 1.8.7, no presenta autorización y comprobación de tipo CSRF en su acción AJAX bnfw_search_users, permitiendo a cualquier u... • https://wpscan.com/vulnerability/b3b523b9-6c92-4091-837a-d34e3174eb19 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •