CVE-2022-2370: YaySMTP < 2.2.1 - Subscriber+ SMTP Credentials Leak
First published: Mon Aug 01 2022(Updated: )
The YaySMTP WordPress plugin before 2.2.1 does not have capability check before displaying the Mailer Credentials in JS code for the settings, allowing any authenticated users, such as subscriber to retrieve them
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Yaycommerce | <2.2.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2022-2370?
The severity of CVE-2022-2370 is classified as a medium risk due to the exposure of sensitive data.
How do I fix CVE-2022-2370?
To fix CVE-2022-2370, update the YaySMTP WordPress plugin to version 2.2.1 or higher.
Who is affected by CVE-2022-2370?
Any authenticated user, including subscribers, can be affected by CVE-2022-2370 as it allows them to access Mailer Credentials.
What are the consequences of CVE-2022-2370?
The consequences of CVE-2022-2370 include potential unauthorized access to sensitive email configuration data.
Is there a patch for CVE-2022-2370?
Yes, a patch is available in the form of an update to YaySMTP plugin version 2.2.1.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/title
- agent/author
- agent/references
- agent/severity
- agent/last-modified-date
- agent/event
- agent/first-publish-date
- agent/description
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/yaycommerce
- canonical/yaycommerce