The WP Cerber Security plugin for WordPress is vulnerable to security protection bypass in versions up to, and including 9.0, that makes user enumeration possible. This is due to improper validation on the value supplied through the 'author' parameter found in the ~/cerber-load.php file. In vulnerable versions, the plugin only blocks requests if the value supplied is numeric, making it possible for attackers to supply additional non-numeric characters to bypass the protection. The non-numeric characters are stripped and the user requested is displayed. This can be used by unauthenticated attackers to gather information about users that can targeted in further attacks.
CVE-2022-2939 is a medium severity with CVSS 5.3 Vulnerability issue affecting the Plugin WP Cerber Security, Anti-spam & Malware Scan. It affects Versions up to 9.0 and is fixed in 9.1.
CVE-2022-2939 is tracked for the Plugin WP Cerber Security, Anti-spam & Malware Scan as medium severity with CVSS 5.3. The affected range is Versions up to 9.0. Update WP Cerber Security, Anti-spam & Malware Scan to 9.1 or newer where that version is compatible with the site.
| Software Type | Plugin |
|---|---|
| Software Slug |
wp-cerber
View on wordpress.org
|
| CVE | CVE-2022-2939 |
| Patched Versions |
9.1
|
| Affected Versions |
Versions up to 9.0
|
These internal links group the same WordPress plugin by CVE, issue type, severity, and patch status so operators and search engines can connect the full vulnerability cluster.
WP Cerber Security < 8.9.3 - Multifactor Bypass
WP Cerber Security <= 9.1 - Unauthenticated Stored Cross-Site Scripting
WP Cerber Security <= 8.9.5.2 - Unauthenticated Stored Cross-Site Scripting
Cerber Security, Anti-spam & Malware Scan < 2.7 - Stored Cross-Site Scripting
WP Cerber Security <= 9.4 - IP Protection Bypass
WP Cerber Security <= 9.3.2 - User Enumeration Bypass via REST API
WP Cerber < 8.9.3 - Access Bypass Control
WP Cerber Security <= 9.0 - Authenticated (Admin+) Stored Cross-Site Scripting
This record contains material that is subject to copyright
License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more
License: CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. Read more
