ByteOS Network

Vulnerability Details :

CVE-2022-4537

Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599

Published At-09 May, 2023 | 02:47

Updated At-13 Jan, 2025 | 16:50

The Hide My WP Ghost – Security Plugin plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 5.0.18. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address from logging in.

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:Wordfence

Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599

Published At:09 May, 2023 | 02:47

Updated At:13 Jan, 2025 | 16:50

▼CVE Numbering Authority (CNA)

Affected Products

Vendor

johndarrel

Product

Hide My WP Ghost – Security Plugin

Default Status

unaffected

Versions

Affected

From * through 5.0.18 (semver)

Problem Types

Type	CWE ID	Description
N/A	N/A	CWE-348 Use of Less Trusted Source

Type: N/A

CWE ID: N/A

Description: CWE-348 Use of Less Trusted Source

Metrics

Version	Base score	Base severity	Vector
3.1	6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Version: 3.1

Base score: 6.5

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Credits

finder

Mohammadreza Rashidi

Timeline

Event	Date
Vendor Notified	2023-04-14 00:00:00
Disclosed	2023-05-08 00:00:00

Event: Vendor Notified

Date: 2023-04-14 00:00:00

Event: Disclosed

Date: 2023-05-08 00:00:00

References

Hyperlink	Resource
https://www.wordfence.com/threat-intel/vulnerabilities/id/4cf89f94-587a-4fed-a6e4-3876b7dbc9ba?source=cve	N/A
https://plugins.trac.wordpress.org/browser/hide-my-wp/tags/5.0.18/models/Brute.php#L131	N/A
https://plugins.trac.wordpress.org/browser/hide-my-wp/trunk/models/Brute.php#L132	N/A

Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/4cf89f94-587a-4fed-a6e4-3876b7dbc9ba?source=cve

Resource: N/A

Hyperlink: https://plugins.trac.wordpress.org/browser/hide-my-wp/tags/5.0.18/models/Brute.php#L131

Resource: N/A

Hyperlink: https://plugins.trac.wordpress.org/browser/hide-my-wp/trunk/models/Brute.php#L132

Resource: N/A

▼Authorized Data Publishers (ADP)

1. CVE Program Container

References

Hyperlink	Resource
https://www.wordfence.com/threat-intel/vulnerabilities/id/4cf89f94-587a-4fed-a6e4-3876b7dbc9ba?source=cve	x_transferred
https://plugins.trac.wordpress.org/browser/hide-my-wp/tags/5.0.18/models/Brute.php#L131	x_transferred
https://plugins.trac.wordpress.org/browser/hide-my-wp/trunk/models/Brute.php#L132	x_transferred

Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/4cf89f94-587a-4fed-a6e4-3876b7dbc9ba?source=cve

Resource:

x_transferred

Hyperlink: https://plugins.trac.wordpress.org/browser/hide-my-wp/tags/5.0.18/models/Brute.php#L131

Resource:

x_transferred

Hyperlink: https://plugins.trac.wordpress.org/browser/hide-my-wp/trunk/models/Brute.php#L132

Resource:

x_transferred

2. CISA ADP Vulnrichment

Metrics Other Info

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:security@wordfence.com

Published At:09 May, 2023 | 03:15

Updated At:07 Nov, 2023 | 03:58

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Secondary	3.1	6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Type: Primary

Version: 3.1

Base score: 6.5

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Type: Secondary

Version: 3.1

Base score: 6.5

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CPE Matches

wpplugins>>hide_my_wp_ghost>>Versions up to 5.0.18(inclusive)

cpe:2.3:a:wpplugins:hide_my_wp_ghost:*:*:*:*:*:wordpress:*:*

Weaknesses

CWE ID	Type	Source
CWE-345	Primary	nvd@nist.gov

CWE ID: CWE-345

Type: Primary

Source: nvd@nist.gov

References

Hyperlink	Source	Resource
https://plugins.trac.wordpress.org/browser/hide-my-wp/tags/5.0.18/models/Brute.php#L131	security@wordfence.com	Product
https://plugins.trac.wordpress.org/browser/hide-my-wp/trunk/models/Brute.php#L132	security@wordfence.com	Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/4cf89f94-587a-4fed-a6e4-3876b7dbc9ba?source=cve	security@wordfence.com	Third Party Advisory

Hyperlink: https://plugins.trac.wordpress.org/browser/hide-my-wp/tags/5.0.18/models/Brute.php#L131

Source: security@wordfence.com

Resource:

Product

Hyperlink: https://plugins.trac.wordpress.org/browser/hide-my-wp/trunk/models/Brute.php#L132

Source: security@wordfence.com

Resource:

Product

Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/4cf89f94-587a-4fed-a6e4-3876b7dbc9ba?source=cve

Source: security@wordfence.com

Resource:

Third Party Advisory

Similar CVEs

2Records found

CVE-2024-34354

Matching Score-4

Assigner-GitHub, Inc.

View Details

Matching Score-4

Assigner-GitHub, Inc.

CVSS Score-6.5||MEDIUM

EPSS-0.14% / 34.25%

7 Day CHG~0.00%

Published-09 May, 2024 | 14:51

Updated-02 Aug, 2024 | 02:51

CMSaasStarter: JWT Token Not Verified on Server Session

CMSaaSStarter is a SaaS template/boilerplate built with SvelteKit, Tailwind, and Supabase. Any forks of the CMSaaSStarter template before commit 7904d416d2c72ec75f42fbf51e9e64fa74062ee6 are impacted. The issue is the user JWT Token is not verified on server session. You should take the patch 7904d416d2c72ec75f42fbf51e9e64fa74062ee6 into your fork.

Vendor-CriticalMoments critical_moments

Product-CMSaasStarter cmsaasstarter

CWE ID-CWE-345

Insufficient Verification of Data Authenticity

CVE-2019-17228

Matching Score-4

Assigner-MITRE Corporation

View Details

Matching Score-4

Assigner-MITRE Corporation

CVSS Score-6.5||MEDIUM

EPSS-0.35% / 56.90%

7 Day CHG~0.00%

Published-24 Feb, 2020 | 18:25

Updated-05 Aug, 2024 | 01:33

includes/options.php in the motors-car-dealership-classified-listings (aka Motors - Car Dealer & Classified Ads) plugin through 1.4.0 for WordPress allows unauthenticated options changes.

Vendor-stylemixthemes n/a

Product-motors_-_car_dealer\,_classifieds_\&_listing n/a

CWE ID-CWE-345

Insufficient Verification of Data Authenticity

CVE-2022-4537

Credits

Vendors

Products

Metrics (CVSS)

Weaknesses

Attack Patterns

Solution/Workaround

References

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

Stakeholder-Specific Vulnerability Categorization (SSVC)

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History

Similar CVEs