CVE-2022-0345

Severity CVSS v4.0:
Pending analysis
Type:
CWE-352 Cross-Site Request Forgery (CSRF)
Publication date:
28/02/2022
Last modified:
07/11/2023

Description

The Customize WordPress Emails and Alerts WordPress plugin before 1.8.7 does not have authorisation and CSRF check in its bnfw_search_users AJAX action, allowing any authenticated users to call it and query for user e-mail prefixes (finding the first letter, then the second one, then the third one etc.).

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:madewithfuel:customize_wordpress_emails_and_alerts:*:*:*:*:*:wordpress:*:* 1.8.7 (excluding)