CVE-2022-0952 — HIGH (8.8) — White Hats Nepal

Q: How severe is CVE-2022-0952?

CVE-2022-0952 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-0952?

Check the references section above for vendor advisories and patch information. Affected products include: Sitemap Project Sitemap.

Vulnerability Description

The Sitemap by click5 WordPress plugin before 1.0.36 does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. As a result, unauthenticated attackers could change arbitrary blog options, such as the users_can_register and default_role, allowing them to create a new admin account and take over the blog.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Sitemap Project	Sitemap	< 1.0.36

Related Weaknesses (CWE)

CWE-862 CWE-352

References

https://wpscan.com/vulnerability/0f694961-afab-44f9-846c-e80a0f6c768bExploitThird Party Advisory
https://wpscan.com/vulnerability/0f694961-afab-44f9-846c-e80a0f6c768bExploitThird Party Advisory

FAQ

What is CVE-2022-0952?

CVE-2022-0952 is a vulnerability with a CVSS score of 8.8 (HIGH). The Sitemap by click5 WordPress plugin before 1.0.36 does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to...

How severe is CVE-2022-0952?

CVE-2022-0952 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-0952?

Check the references section above for vendor advisories and patch information. Affected products include: Sitemap Project Sitemap.