nvd-json-data-feeds/CVE-2022/CVE-2022-29xx/CVE-2022-2939.json

{
  "id": "CVE-2022-2939",
  "sourceIdentifier": "security@wordfence.com",
  "published": "2022-09-06T18:15:15.143",
  "lastModified": "2024-11-21T07:01:57.593",
  "vulnStatus": "Modified",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The WP Cerber Security plugin for WordPress is vulnerable to security protection bypass in versions up to, and including 9.0, that makes user enumeration possible. This is due to improper validation on the value supplied through the 'author' parameter found in the ~/cerber-load.php file. In vulnerable versions, the plugin only blocks requests if the value supplied is numeric, making it possible for attackers to supply additional non-numeric characters to bypass the protection. The non-numeric characters are stripped and the user requested is displayed. This can be used by unauthenticated attackers to gather information about users that can targeted in further attacks."
    },
    {
      "lang": "es",
      "value": "El plugin WP Cerber Security para WordPress es vulnerable a una omisi\u00f3n de la protecci\u00f3n de seguridad en versiones hasta 9.0, incluy\u00e9ndola, que hace posible una enumeraci\u00f3n de usuarios. Esto es debido a que no es comprobado el valor suministrado mediante el par\u00e1metro \"author\" que es encontrado en el archivo ~/cerber-load.php. En las versiones vulnerables, el plugin s\u00f3lo bloquea las peticiones si el valor suministrado es num\u00e9rico, haciendo posible a atacantes suministren caracteres no num\u00e9ricos adicionales para omitir la protecci\u00f3n. Los caracteres no num\u00e9ricos son eliminados y es mostrado una petici\u00f3n de usuario. Esto puede ser usado por atacantes no autenticados para reunir informaci\u00f3n sobre usuarios que puede ser objetivo de otros ataques."
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "security@wordfence.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "availabilityImpact": "NONE"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4
      },
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "availabilityImpact": "NONE"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4
      }
    ]
  },
  "weaknesses": [
    {
      "source": "security@wordfence.com",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ]
    },
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:cerber:wp_cerber_security\\,_anti-spam_\\&_malware_scan:*:*:*:*:*:wordpress:*:*",
              "versionEndIncluding": "9.0",
              "matchCriteriaId": "40F38BAC-D89C-4442-88C5-FDA0E3247850"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://plugins.trac.wordpress.org/changeset/2772930/wp-cerber/trunk/cerber-load.php",
      "source": "security@wordfence.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2939",
      "source": "security@wordfence.com",
      "tags": [
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://plugins.trac.wordpress.org/changeset/2772930/wp-cerber/trunk/cerber-load.php",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2939",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ]
    }
  ]
}