CVE-2022-2370

{"id": "CVE-2022-2370", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2022-08-01T13:15:11.343", "references": [{"url": "https://wpscan.com/vulnerability/bedda2a9-6c52-478e-b17a-7a4488419334", "tags": ["Exploit", "Third Party Advisory"], "source": "contact@wpscan.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "The YaySMTP WordPress plugin before 2.2.1 does not have capability check before displaying the Mailer Credentials in JS code for the settings, allowing any authenticated users, such as subscriber to retrieve them"}, {"lang": "es", "value": "El plugin YaySMTP de WordPress versiones anteriores a 2.2.1, no dispone de una comprobaci\u00f3n de capacidad antes de mostrar las credenciales de correo en el c\u00f3digo JS para la configuraci\u00f3n, permitiendo a cualquier usuario autenticado, como el suscriptor, recuperarlas"}], "lastModified": "2023-11-07T03:46:33.680", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:yaycommerce:yaysmtp:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "C851DF65-56CF-49EE-A017-A546E7AE6ACC", "versionEndExcluding": "2.2.1"}], "operator": "OR"}]}], "sourceIdentifier": "contact@wpscan.com"}