CVE-2022-3694: 
WordPress vulnerability analysis and mitigation

The CVE-2022-3694 is a sensitive data disclosure vulnerability affecting the Syncee – Global Dropshipping WordPress plugin versions prior to 1.0.10. The vulnerability was discovered and reported by researcher 5h4m4n53c, with public disclosure occurring on November 28, 2022 (WPScan).

The vulnerability stems from the plugin's improper handling of authentication tokens. The plugin makes a GET request to the endpoint '/wp-json/syncee/retailer/v1/getDataForFrontend' which exposes the administrator's access token. The vulnerability is classified as CWE-200 (Sensitive Data Disclosure) and has received a CVSS score of 8.6 (High) (WPScan).

The exposure of the administrator token allows attackers to potentially take over the administrator's Syncee account. An attacker can leverage this token to add new team members to the administrator's account, effectively gaining unauthorized administrative access (WPScan).

The vulnerability has been patched in version 1.0.10 of the Syncee – Global Dropshipping plugin. Users are strongly advised to update to this version or later to protect against potential exploitation (WPScan).