The 0mk Shortener plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on the zeromk_options_page function. This makes it possible for unauthenticated attackers to inject malicious web scripts via the 'zeromk_user' and 'zeromk_apikluc' parameters through a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
References
Link | Resource |
---|---|
https://plugins.trac.wordpress.org/browser/0mk-shortener/trunk/0mk.php#L28 | Exploit Third Party Advisory |
https://www.wordfence.com/threat-intel/vulnerabilities/id/3b798c64-3434-427d-b578-5abbdac8cd0e | Third Party Advisory |
Configurations
History
07 Nov 2023, 03:47
Type | Values Removed | Values Added |
---|---|---|
CWE |
14 Feb 2023, 18:18
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:0mk_shortener_project:0mk_shortener:*:*:*:*:*:wordpress:*:* | |
References | (MISC) https://www.wordfence.com/threat-intel/vulnerabilities/id/3b798c64-3434-427d-b578-5abbdac8cd0e - Third Party Advisory | |
References | (MISC) https://plugins.trac.wordpress.org/browser/0mk-shortener/trunk/0mk.php#L28 - Exploit, Third Party Advisory | |
First Time |
0mk Shortener Project 0mk Shortener
0mk Shortener Project |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
06 Feb 2023, 19:49
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-02-06 19:15
Updated : 2023-12-10 14:48
NVD link : CVE-2022-2933
Mitre link : CVE-2022-2933
CVE.ORG link : CVE-2022-2933
JSON object : View
Products Affected
0mk_shortener_project
- 0mk_shortener
CWE
No CWE.