Vulnerability-Lookup

CVE-2022-1846 (GCVE-0-2022-1846)

Vulnerability from cvelistv5 – Published: 2022-06-27 08:58 – Updated: 2024-08-03 00:17

Title

Tiny Contact Form <= 0.7 - Arbitrary Settings Update via CSRF

Summary

The Tiny Contact Form WordPress plugin through 0.7 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Severity

No CVSS data available.

CWE

CWE-352 - Cross-Site Request Forgery (CSRF)

Assigner

WPScan

References

1 reference

URL	Tags
https://wpscan.com/vulnerability/5fa5838e-4843-4d…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
Unknown	Tiny Contact Form	Affected: 0.7 , ≤ 0.7 (custom)

Credits

Daniel Ruf

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T00:17:00.834Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://wpscan.com/vulnerability/5fa5838e-4843-4d9c-9884-e3ebbf56fc6a"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Tiny Contact Form",
          "vendor": "Unknown",
          "versions": [
            {
              "lessThanOrEqual": "0.7",
              "status": "affected",
              "version": "0.7",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Daniel Ruf"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Tiny Contact Form WordPress plugin through 0.7 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-06-27T08:58:03.000Z",
        "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "shortName": "WPScan"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://wpscan.com/vulnerability/5fa5838e-4843-4d9c-9884-e3ebbf56fc6a"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Tiny Contact Form \u003c= 0.7 - Arbitrary Settings Update via CSRF",
      "x_generator": "WPScan CVE Generator",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "contact@wpscan.com",
          "ID": "CVE-2022-1846",
          "STATE": "PUBLIC",
          "TITLE": "Tiny Contact Form \u003c= 0.7 - Arbitrary Settings Update via CSRF"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Tiny Contact Form",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "0.7",
                            "version_value": "0.7"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Unknown"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Daniel Ruf"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Tiny Contact Form WordPress plugin through 0.7 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack"
            }
          ]
        },
        "generator": "WPScan CVE Generator",
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-352 Cross-Site Request Forgery (CSRF)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wpscan.com/vulnerability/5fa5838e-4843-4d9c-9884-e3ebbf56fc6a",
              "refsource": "MISC",
              "url": "https://wpscan.com/vulnerability/5fa5838e-4843-4d9c-9884-e3ebbf56fc6a"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
    "assignerShortName": "WPScan",
    "cveId": "CVE-2022-1846",
    "datePublished": "2022-06-27T08:58:03.000Z",
    "dateReserved": "2022-05-24T00:00:00.000Z",
    "dateUpdated": "2024-08-03T00:17:00.834Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2022-1846",
      "date": "2026-05-31",
      "epss": "0.00103",
      "percentile": "0.27837"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-1846\",\"sourceIdentifier\":\"contact@wpscan.com\",\"published\":\"2022-06-27T09:15:09.907\",\"lastModified\":\"2024-11-21T06:41:35.903\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Tiny Contact Form WordPress plugin through 0.7 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack\"},{\"lang\":\"es\",\"value\":\"El plugin Tiny Contact Form de WordPress versiones hasta 0.7, no presenta una comprobaci\u00f3n de tipo CSRF cuando actualiza sus ajustes, lo que podr\u00eda permitir a atacantes hacer que un administrador conectado los cambie por medio de un ataque de tipo CSRF\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"contact@wpscan.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tiny_contact_form_project:tiny_contact_form:*:*:*:*:*:wordpress:*:*\",\"versionEndIncluding\":\"0.7\",\"matchCriteriaId\":\"F00686E0-413C-44BC-AD32-56A107622C86\"}]}]}],\"references\":[{\"url\":\"https://wpscan.com/vulnerability/5fa5838e-4843-4d9c-9884-e3ebbf56fc6a\",\"source\":\"contact@wpscan.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://wpscan.com/vulnerability/5fa5838e-4843-4d9c-9884-e3ebbf56fc6a\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}

CNVD-2022-57624

Vulnerability from cnvd - Published: 2022-08-18

Title

WordPress Tiny Contact Form plugin跨站请求伪造漏洞

Description

WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress Tiny Contact Form plugin 0.7版本及之前版本存在跨站请求伪造漏洞，该漏洞源于插件在更新其设置时未能进行CSRF检查。攻击者可利用该漏洞通过CSRF攻击让登录的管理员进行更改。

Severity

中

Patch Name

WordPress Tiny Contact Form plugin跨站请求伪造漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://wpscan.com/vulnerability/5fa5838e-4843-4d9c-9884-e3ebbf56fc6a

Reference

https://nvd.nist.gov/vuln/detail/CVE-2022-1846

Impacted products

Name
WordPress Tiny Contact Form plugin <=0.7

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-1846",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-1846"
    }
  },
  "description": "WordPress\u548cWordPress plugin\u90fd\u662fWordPress\u57fa\u91d1\u4f1a\u7684\u4ea7\u54c1\u3002WordPress\u662f\u4e00\u5957\u4f7f\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u535a\u5ba2\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u652f\u6301\u5728PHP\u548cMySQL\u7684\u670d\u52a1\u5668\u4e0a\u67b6\u8bbe\u4e2a\u4eba\u535a\u5ba2\u7f51\u7ad9\u3002WordPress plugin\u662f\u4e00\u4e2a\u5e94\u7528\u63d2\u4ef6\u3002\n\nWordPress Tiny Contact Form plugin 0.7\u7248\u672c\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e \u63d2\u4ef6\u5728\u66f4\u65b0\u5176\u8bbe\u7f6e\u65f6\u672a\u80fd\u8fdb\u884cCSRF\u68c0\u67e5\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7CSRF\u653b\u51fb\u8ba9\u767b\u5f55\u7684\u7ba1\u7406\u5458\u8fdb\u884c\u66f4\u6539\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://wpscan.com/vulnerability/5fa5838e-4843-4d9c-9884-e3ebbf56fc6a",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-57624",
  "openTime": "2022-08-18",
  "patchDescription": "WordPress\u548cWordPress plugin\u90fd\u662fWordPress\u57fa\u91d1\u4f1a\u7684\u4ea7\u54c1\u3002WordPress\u662f\u4e00\u5957\u4f7f\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u535a\u5ba2\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u652f\u6301\u5728PHP\u548cMySQL\u7684\u670d\u52a1\u5668\u4e0a\u67b6\u8bbe\u4e2a\u4eba\u535a\u5ba2\u7f51\u7ad9\u3002WordPress plugin\u662f\u4e00\u4e2a\u5e94\u7528\u63d2\u4ef6\u3002\r\n\r\nWordPress Tiny Contact Form plugin 0.7\u7248\u672c\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e \u63d2\u4ef6\u5728\u66f4\u65b0\u5176\u8bbe\u7f6e\u65f6\u672a\u80fd\u8fdb\u884cCSRF\u68c0\u67e5\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7CSRF\u653b\u51fb\u8ba9\u767b\u5f55\u7684\u7ba1\u7406\u5458\u8fdb\u884c\u66f4\u6539\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "WordPress Tiny Contact Form plugin\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "WordPress Tiny Contact Form plugin \u003c=0.7"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-1846",
  "serverity": "\u4e2d",
  "submitTime": "2022-06-30",
  "title": "WordPress Tiny Contact Form plugin\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e"
}

FKIE_CVE-2022-1846

Vulnerability from fkie_nvd - Published: 2022-06-27 09:15 - Updated: 2024-11-21 06:41

Severity

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Summary

The Tiny Contact Form WordPress plugin through 0.7 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

References

	URL	Tags
	contact@wpscan.com	https://wpscan.com/vulnerability/5fa5838e-4843-4d9c-9884-e3ebbf56fc6a	Exploit, Third Party Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://wpscan.com/vulnerability/5fa5838e-4843-4d9c-9884-e3ebbf56fc6a	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	tiny_contact_form_project	tiny_contact_form	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:tiny_contact_form_project:tiny_contact_form:*:*:*:*:*:wordpress:*:*",
              "matchCriteriaId": "F00686E0-413C-44BC-AD32-56A107622C86",
              "versionEndIncluding": "0.7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Tiny Contact Form WordPress plugin through 0.7 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack"
    },
    {
      "lang": "es",
      "value": "El plugin Tiny Contact Form de WordPress versiones hasta 0.7, no presenta una comprobaci\u00f3n de tipo CSRF cuando actualiza sus ajustes, lo que podr\u00eda permitir a atacantes hacer que un administrador conectado los cambie por medio de un ataque de tipo CSRF"
    }
  ],
  "id": "CVE-2022-1846",
  "lastModified": "2024-11-21T06:41:35.903",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-06-27T09:15:09.907",
  "references": [
    {
      "source": "contact@wpscan.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://wpscan.com/vulnerability/5fa5838e-4843-4d9c-9884-e3ebbf56fc6a"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://wpscan.com/vulnerability/5fa5838e-4843-4d9c-9884-e3ebbf56fc6a"
    }
  ],
  "sourceIdentifier": "contact@wpscan.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "contact@wpscan.com",
      "type": "Secondary"
    }
  ]
}

GHSA-WC82-G3JQ-FWMX

Vulnerability from github – Published: 2022-06-28 00:01 – Updated: 2022-07-07 00:00

Details

The Tiny Contact Form WordPress plugin through 0.7 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Severity

4.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-1846"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-27T09:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The Tiny Contact Form WordPress plugin through 0.7 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack",
  "id": "GHSA-wc82-g3jq-fwmx",
  "modified": "2022-07-07T00:00:24Z",
  "published": "2022-06-28T00:01:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1846"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/5fa5838e-4843-4d9c-9884-e3ebbf56fc6a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GSD-2022-1846

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

The Tiny Contact Form WordPress plugin through 0.7 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Aliases

CVE-2022-1846

Aliases

CVE-2022-1846

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-1846",
    "description": "The Tiny Contact Form WordPress plugin through 0.7 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack",
    "id": "GSD-2022-1846"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-1846"
      ],
      "details": "The Tiny Contact Form WordPress plugin through 0.7 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack",
      "id": "GSD-2022-1846",
      "modified": "2023-12-13T01:19:28.268021Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "contact@wpscan.com",
        "ID": "CVE-2022-1846",
        "STATE": "PUBLIC",
        "TITLE": "Tiny Contact Form \u003c= 0.7 - Arbitrary Settings Update via CSRF"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Tiny Contact Form",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c=",
                          "version_name": "0.7",
                          "version_value": "0.7"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Unknown"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "Daniel Ruf"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The Tiny Contact Form WordPress plugin through 0.7 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack"
          }
        ]
      },
      "generator": "WPScan CVE Generator",
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-352 Cross-Site Request Forgery (CSRF)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://wpscan.com/vulnerability/5fa5838e-4843-4d9c-9884-e3ebbf56fc6a",
            "refsource": "MISC",
            "url": "https://wpscan.com/vulnerability/5fa5838e-4843-4d9c-9884-e3ebbf56fc6a"
          }
        ]
      },
      "source": {
        "discovery": "EXTERNAL"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:tiny_contact_form_project:tiny_contact_form:*:*:*:*:*:wordpress:*:*",
                "cpe_name": [],
                "versionEndIncluding": "0.7",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "contact@wpscan.com",
          "ID": "CVE-2022-1846"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The Tiny Contact Form WordPress plugin through 0.7 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-352"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wpscan.com/vulnerability/5fa5838e-4843-4d9c-9884-e3ebbf56fc6a",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://wpscan.com/vulnerability/5fa5838e-4843-4d9c-9884-e3ebbf56fc6a"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 1.4
        }
      },
      "lastModifiedDate": "2022-07-06T18:06Z",
      "publishedDate": "2022-06-27T09:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-1846 (GCVE-0-2022-1846)

CNVD-2022-57624

FKIE_CVE-2022-1846

GHSA-WC82-G3JQ-FWMX

GSD-2022-1846

Tags

Sightings

Nomenclature