Vulnerabilities > CVE-2022-0345 - Missing Authorization vulnerability in Madewithfuel Customize Wordpress Emails and Alerts

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
LOW
Integrity impact
NONE
Availability impact
NONE
network
low complexity
madewithfuel
CWE-862

Summary

The Customize WordPress Emails and Alerts WordPress plugin before 1.8.7 does not have authorisation and CSRF check in its bnfw_search_users AJAX action, allowing any authenticated users to call it and query for user e-mail prefixes (finding the first letter, then the second one, then the third one etc.).

Vulnerable Configurations

Part Description Count
Application
Madewithfuel
1

Common Weakness Enumeration (CWE)