CVE-2022-2535

nvd nist nuclei

Published: Aug 15, 2022Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

The SearchWP Live Ajax Search WordPress plugin before 1.6.2 does not ensure that users making a live search are limited to published posts only, allowing unauthenticated users to make a crafted query disclosing private/draft/pending post titles along with their permalink

Affected (1)

Products: Searchwp: Searchwp Live Ajax Search

1 product

Searchwp Live Ajax Search

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Searchwp Searchwp Live Ajax Search	Before 1.6.2

Related CWEs

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (2)

https://wpscan.com/vulnerability/0e13c375-044c-4c2e-ab8e-48cb89d90d02

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/0e13c375-044c-4c2e-ab8e-48cb89d90d02

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.