CVE-2022-4305

EUVD-2022-51660
The Login as User or Customer WordPress plugin before 3.3 lacks authorization checks to ensure that users are allowed to log in as another one, which could allow unauthenticated attackers to obtain a valid admin session.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA-ADPADP
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
Affected Products (NVD)
VendorProductVersion
wp-buylogin_as_user_or_customer_\(user_switching\)
𝑥
< 3.3
𝑥
= Vulnerable software versions
References
https://wpscan.com/vulnerability/286d972d-7bda-455c-a226-fd9ce5f925bd
https://wpscan.com/vulnerability/286d972d-7bda-455c-a226-fd9ce5f925bd