First published: Mon Jan 16 2023(Updated: )
The Subscribe2 WordPress plugin before 10.38 does not have CSRF check when deleting users, which could allow attackers to make a logged in admin delete arbitrary users by knowing their email via a CSRF attack.
Credit: contact@wpscan.com
Affected Software | Affected Version | How to fix |
---|---|---|
Subscribe2 Project Subscribe2 | <10.38 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for the Subscribe2 WordPress plugin is CVE-2022-4309.
The impact of the CVE-2022-4309 vulnerability is that attackers can make a logged-in admin delete arbitrary users by knowing their email via a CSRF attack.
The severity level of the CVE-2022-4309 vulnerability is low (CVSS score: 3.1).
This vulnerability can be exploited by performing a CSRF attack and knowing the email of an arbitrary user.
Yes, it is recommended to update to Subscribe2 WordPress plugin version 10.38 or newer to fix the CVE-2022-4309 vulnerability.