CVE-2022-2556

Published: Aug 29, 2022Modified: Nov 21, 2024

2.7

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Exploitability: 1.2 / Impact: 1.4

Source: NVD

Description

The Mailchimp for WooCommerce WordPress plugin before 2.7.2 has an AJAX action that allows high privilege users to perform a POST request on behalf of the server to the internal network/LAN, the body of the request is also appended to the response so it can be used to scan private network for example

Affected (1)

Products: Mailchimp: Mailchimp For Woocommerce

1 product

Mailchimp For Woocommerce

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mailchimp Mailchimp For Woocommerce	Before 2.7.2

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (2)

https://wpscan.com/vulnerability/f2a59eaa-6b44-4098-912f-823289cf33b0

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/f2a59eaa-6b44-4098-912f-823289cf33b0

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.