CVE-2022-2556: MailChimp for Woocommerce < 2.7.2 - Admin+ SSRF
First published: Mon Aug 29 2022(Updated: )
The Mailchimp for WooCommerce WordPress plugin before 2.7.2 has an AJAX action that allows high privilege users to perform a POST request on behalf of the server to the internal network/LAN, the body of the request is also appended to the response so it can be used to scan private network for example
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mailchimp for WooCommerce | <2.7.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2022-2556?
CVE-2022-2556 is classified as a high-severity vulnerability due to the potential for unauthorized access to internal network resources.
How do I fix CVE-2022-2556?
To fix CVE-2022-2556, update the Mailchimp for WooCommerce plugin to version 2.7.2 or later.
Who is affected by CVE-2022-2556?
CVE-2022-2556 affects users of the Mailchimp for WooCommerce WordPress plugin prior to version 2.7.2.
What kind of attack can be performed using CVE-2022-2556?
CVE-2022-2556 allows high privilege users to potentially make unauthorized POST requests to internal network resources.
Is CVE-2022-2556 exploitable remotely?
Yes, CVE-2022-2556 can be exploited remotely by manipulating AJAX actions through the affected plugin.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/weakness
- agent/title
- agent/severity
- agent/references
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/mailchimp
- canonical/mailchimp for woocommerce