Clerk Plugin up to 3.x on WordPress API Request timing discrepancy
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.1 | $0-$5k | 0.00 |
Summary
A vulnerability was found in Clerk Plugin up to 3.x on WordPress and classified as problematic. Affected by this issue is some unknown functionality of the component API Request Handler. Such manipulation leads to timing discrepancy. This vulnerability is referenced as CVE-2022-3907. No exploit is available. It is suggested to upgrade the affected component.
Details
A vulnerability was found in Clerk Plugin up to 3.x on WordPress (WordPress Plugin). It has been rated as problematic. Affected by this issue is an unknown code of the component API Request Handler. The manipulation with an unknown input leads to a timing discrepancy vulnerability. Using CWE to declare the problem leads to CWE-208. Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. Impacted is confidentiality. CVE summarizes:
The Clerk WordPress plugin before 4.0.0 is affected by time-based attacks in the validation function for all API requests due to the usage of comparison operators to verify API keys against the ones stored in the site options.
The weakness was published 12/06/2022. The advisory is shared for download at wpscan.com. This vulnerability is handled as CVE-2022-3907 since 11/09/2022. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1592.
Upgrading to version 4.0.0 eliminates this vulnerability.
Once again VulDB remains the best source for vulnerability data.
Product
Type
Name
Version
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.2VulDB Meta Temp Score: 6.1
VulDB Base Score: 3.5
VulDB Temp Score: 3.4
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 7.5
NVD Vector: 🔍
ADP CISA Base Score: 7.5
ADP CISA Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Timing discrepancyCWE: CWE-208 / CWE-203 / CWE-200
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Clerk Plugin 4.0.0
Timeline
11/09/2022 🔍12/06/2022 🔍
12/06/2022 🔍
06/08/2026 🔍
Sources
Advisory: wpscan.comStatus: Confirmed
CVE: CVE-2022-3907 (🔍)
GCVE (CVE): GCVE-0-2022-3907
GCVE (VulDB): GCVE-100-214820
Entry
Created: 12/06/2022 08:27Updated: 06/08/2026 21:51
Changes: 12/06/2022 08:27 (41), 12/26/2022 11:09 (11), 04/23/2025 19:08 (16), 06/08/2026 21:51 (11)
Complete: 🔍
Cache ID: 216::103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.