CVE-2022-2449

The reSmush.it : the only free Image Optimizer & compress plugin WordPress plugin before 0.4.4 does not perform CSRF checks for any of its AJAX actions, allowing an attackers to trick logged in users to perform various actions on their behalf on the site.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://wpscan.com/vulnerability/6e42f26b-3403-4d55-99ad-2c8e2d76e537	Exploit Third Party Advisory
https://wpscan.com/vulnerability/6e42f26b-3403-4d55-99ad-2c8e2d76e537	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:resmush.it:resmush.it_image_optimizer:*:*:*:*:*:wordpress:*:*

History

21 Nov 2024, 07:01

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-11-14 15:15

Updated : 2025-04-30 20:15

NVD link : CVE-2022-2449

Mitre link : CVE-2022-2449

CVE.ORG link : CVE-2022-2449

JSON object : View

Products Affected

resmush.it

resmush.it_image_optimizer

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2022-2449", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2022-11-14T15:15:19.013", "references": [{"url": "https://wpscan.com/vulnerability/6e42f26b-3403-4d55-99ad-2c8e2d76e537", "tags": ["Exploit", "Third Party Advisory"], "source": "contact@wpscan.com"}, {"url": "https://wpscan.com/vulnerability/6e42f26b-3403-4d55-99ad-2c8e2d76e537", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "contact@wpscan.com", "description": [{"lang": "en", "value": "CWE-352"}]}, {"type": "Primary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "The reSmush.it : the only free Image Optimizer & compress plugin WordPress plugin before 0.4.4 does not perform CSRF checks for any of its AJAX actions, allowing an attackers to trick logged in users to perform various actions on their behalf on the site."}, {"lang": "es", "value": "El reSmush.it: el \u00fanico complemento gratuito Image Optimizer & compress para WordPress anterior a 0.4.4 no realiza comprobaciones CSRF para ninguna de sus acciones AJAX, lo que permite a los atacantes enga\u00f1ar a los usuarios que han iniciado sesi\u00f3n para que realicen diversas acciones en su nombre en el sitio."}], "lastModified": "2025-04-30T20:15:16.620", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:resmush.it:resmush.it_image_optimizer:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "77965192-1CDC-4C6B-A5E6-5F8680AF6354", "versionEndExcluding": "0.4.7"}], "operator": "OR"}]}], "sourceIdentifier": "contact@wpscan.com"}