CVE-2022-1749

The WPMK Ajax Finder WordPress plugin is vulnerable to Cross-Site Request Forgery via thecreateplugin_atf_admin_setting_page()function found in the ~/inc/config/create-plugin-config.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.1.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
WordfenceCNA
8.8 HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 39%
VendorProductVersion
wpmk_ajax_finder_projectwpmk_ajax_finder
𝑥
≤ 1.0.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://plugins.trac.wordpress.org/browser/find-any-think/trunk/inc/config/create-plugin-admin.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/1d063d01-5f67-4c7f-ab71-01708456e82b?source=cve
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1749
https://plugins.trac.wordpress.org/browser/find-any-think/trunk/inc/config/create-plugin-admin.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/1d063d01-5f67-4c7f-ab71-01708456e82b?source=cve
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1749