CVE-2022-3336
Event Monster < 1.2.0 - Visitors Deletion via CSRF
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The Event Monster WordPress plugin before 1.2.0 does not have CSRF check when deleting visitors, which could allow attackers to make logged in admin delete arbitrary visitors via a CSRF attack
El complemento Event Monster de WordPress anterior a 1.2.0 no tiene verificación CSRF al eliminar visitantes, lo que podrÃa permitir a los atacantes hacer que el administrador registrado elimine visitantes arbitrarios mediante un ataque CSRF.
The Event Monster plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.20. This is due to missing or incorrect nonce validation when processing AJAX actions. This makes it possible for unauthenticated attackers to invoke these actions and perform actions like deleting all visitor records, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-09-27 CVE Reserved
- 2022-10-27 CVE Published
- 2024-06-13 EPSS Updated
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://wpscan.com/vulnerability/57bc6633-1aeb-4c20-a2a5-9b3fa10ba95d | 2024-08-03 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Awplife Search vendor "Awplife" | Event Monster Search vendor "Awplife" for product "Event Monster" | < 1.2.0 Search vendor "Awplife" for product "Event Monster" and version " < 1.2.0" | wordpress |
Affected
| ||||||