CVE-2022-4384
Stream < 3.9.2 - Subscriber+ Alert Creation
Severity Score
6.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The Stream WordPress plugin before 3.9.2 does not prevent users with little privileges on the site (like subscribers) from using its alert creation functionality, which may enable them to leak sensitive information.
The Stream plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the 'save_new_alert' and 'get_new_alert_triggers_notifications' functions in versions up to, and including, 3.9.1. This makes it possible for subscriber-level attackers to use the plugin's alert functionality and potentially leak sensitive information.
*Credits:
Krzysztof ZajÄ…c, WPScan
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-12-09 CVE Reserved
- 2023-01-16 CVE Published
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- 2024-08-29 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-862: Missing Authorization
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://wpscan.com/vulnerability/2b506252-6f37-439e-8984-7316d5cca2e5 | 2024-08-03 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|