CVE-2022-36424: 
WordPress vulnerability analysis and mitigation

Cross-Site Request Forgery (CSRF) vulnerability was discovered in Nikola Loncar Easy Appointments WordPress plugin versions 3.11.9 and below. The vulnerability was identified and reported on September 14, 2022, and was assigned CVE-2022-36424. The issue affects the Easy Appointments WordPress plugin, with a fix released in version 3.11.10 (Patchstack).

The vulnerability stems from the plugin's failure to properly validate requests using nonces, which could lead to Cross-Site Request Forgery attacks. The severity of this vulnerability has been assessed with different CVSS scores: NIST assigned a CVSS v3.1 base score of 8.8 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, while Patchstack rated it at 4.3 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) (WPScan).

This vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. The attack requires user interaction and can potentially lead to unauthorized actions being performed on behalf of authenticated users (Patchstack).

The vulnerability has been fixed in version 3.11.10 of the Easy Appointments plugin. Users are advised to update to version 3.11.10 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins (Patchstack).