CVE-2022-0634

ThirstyAffiliates < 3.10.5 - Subscriber+ unauthorized image upload + CSRF

The ThirstyAffiliates WordPress plugin before 3.10.5 lacks authorization checks in the ta_insert_external_image action, allowing a low-privilege user (with a role as low as Subscriber) to add an image from an external URL to an affiliate link. Further the plugin lacks csrf checks, allowing an attacker to trick a logged in user to perform the action by crafting a special request.

We have discovered 2 live websites that are affected by CVE-2022-0634.

Affected Software


Product	ThirstyAffiliates
Category	Wordpress Themes
Vulnerable Versions	from 0 before 3.10.5
Total Vulnerable Versions	10
Vulnerable Domains	2 live websites (3.92% of ThirstyAffiliates install base)

Common Weakness Enumeration

CWE-862 Missing Authorization

Distribution by Website Rank

The diagram provides a graphic representation of the correlation between the occurrence of CVE-2022-0634 and the relative popularity of websites

Available Reports

Website List

Details

Published - Apr 25, 2022
Updated - Jul 11, 2023

Credits

Muhamad Hidayat (finder)
WPScan (coordinator)

CWE

CWE-862

CVE References

CWE References

cwe.mitre.org

Countries

United States	2 websites

TLDs

.com	2 websites

Vulnerable Versions

Vulnerable versions are highlighted in red

Geographical Distribution

The distribution of websites across the globe that are exposed to CVE-2022-0634 through included software libraries and plugins.

References

https://wpscan.com/vulnerability/7e11aeb0-b231-407d-86ec-9018c2c7eee3

Websites affected by CVE-2022-0634

Top websites that are affected by CVE-2022-0634. Please click on the "Contact us" button above to get more information.

Domain	Country	Rank	Contacts
**********************.com	United States	*,*
*************.com	United States	,,*

See full domain list