CVE-2024-22156

WordPress SalesKing plugin <= 1.6.15 - Unauthenticated Plugin Settings Change vulnerability

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Missing Authorization vulnerability in SNP Digital SalesKing.This issue affects SalesKing: from n/a through 1.6.15.

Vulnerabilidad de autorización faltante en SNP Digital SalesKing. Este problema afecta a SalesKing: desde n/a hasta 1.6.15.

The SalesKing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in all versions up to, and including, 1.6.15. This makes it possible for unauthenticated attackers to modify plugin settings.

*Credits: Dave Jong (Patchstack)

CVSS Scores

Patchstackv3.1 6.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-01-05 CVE Reserved
2024-01-16 CVE Published
2024-03-27 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-862: Missing Authorization

CAPEC

References (1)

URL	Tag	Source
https://patchstack.com/database/vulnerability/salesking/wordpress-salesking-plugin-1-6-15-unauthenticated-plugin-settings-change-vulnerability?_s_id=cve	Vdb Entry

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Salesking Search vendor "Salesking"		Salesking Search vendor "Salesking" for product "Salesking"				>= 0.0.0 <= 1.6.15 Search vendor "Salesking" for product "Salesking" and version " >= 0.0.0 <= 1.6.15"		en		Affected