CVE-2022-3805

The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various functions used to update the plugin settings in versions up to, and including, 2.5.6. Unauthenticated users can use an easily available nonce, obtained from pages edited by the plugin, to update the MailChimp API key, global styles, 404 page settings, and enabled elements.
Configurations

Configuration 1 (hide)

cpe:2.3:a:jegtheme:jeg_elementor_kit:*:*:*:*:*:wordpress:*:*

History

21 Nov 2024, 07:20

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 7.5
v2 : unknown
v3 : 8.6
References () https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2811758%40jeg-elementor-kit%2Ftrunk&old=2810568%40jeg-elementor-kit%2Ftrunk&sfp_email=&sfph_mail= - Exploit, Third Party Advisory () https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2811758%40jeg-elementor-kit%2Ftrunk&old=2810568%40jeg-elementor-kit%2Ftrunk&sfp_email=&sfph_mail= - Exploit, Third Party Advisory
References () https://wordpress.org/plugins/jeg-elementor-kit/#developers - Product, Release Notes, Third Party Advisory () https://wordpress.org/plugins/jeg-elementor-kit/#developers - Product, Release Notes, Third Party Advisory
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/c9955d65-afb3-4d28-abd2-9f2fec92d013 - Third Party Advisory () https://www.wordfence.com/threat-intel/vulnerabilities/id/c9955d65-afb3-4d28-abd2-9f2fec92d013 - Third Party Advisory

07 Nov 2023, 03:51

Type Values Removed Values Added
CWE CWE-639

Information

Published : 2022-12-22 21:15

Updated : 2024-11-21 07:20


NVD link : CVE-2022-3805

Mitre link : CVE-2022-3805

CVE.ORG link : CVE-2022-3805


JSON object : View

Products Affected

jegtheme

  • jeg_elementor_kit
CWE

No CWE.