Published:2022/04/15  Last Updated:2022/04/15

JVN#31606885
WordPress Plugin "MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership" vulnerable to cross-site request forgery

Overview

WordPress Plugin "MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership" contains a cross-site request forgery vulnerability.

Products Affected

  • "MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership" versions prior to 1.9.6

Description

WordPress Plugin "MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership" provided by VideoWhisper contains a cross-site request forgery vulnerability (CWE-352).

Impact

If a user views a malicious page while logged in with the administrative privilege, unintended operations may be performed.

Solution

Update the plugin
Update the plugin according to the information provided by the developer.
The developer has released the versions listed below that address the vulnerabilities.

  • "MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership" 1.9.6

Vendor Status

Vendor Link
VideoWhisper MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership
Changes in paid-membership [2345274:2362275]

References

JPCERT/CC Addendum

This JVN publication was delayed to 2022/4/15 after the developer's fix was published.

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Base Score: 4.3
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N
Base Score: 2.6
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Kosuke Sakai reported and coordinated with the developer to fix this vulnerability.
After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2022-27629
JVN iPedia JVNDB-2022-000026