Vulnerabilities > CVE-2022-0952 - Missing Authorization vulnerability in Sitemap Project Sitemap 1.0.0

047910
CVSS 8.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
sitemap-project
CWE-862

Summary

The Sitemap by click5 WordPress plugin before 1.0.36 does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. As a result, unauthenticated attackers could change arbitrary blog options, such as the users_can_register and default_role, allowing them to create a new admin account and take over the blog.

Vulnerable Configurations

Part Description Count
Application
Sitemap_Project
1

Common Weakness Enumeration (CWE)