CVE-2022-3907

7.5 HIGH

The Clerk WordPress plugin before 4.0.0 is affected by time-based attacks in the validation function for all API requests due to the usag...

Published: 2022-12-05 · Last updated: 2026-06-08

Severity and scoring

CVSS: 7.5 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-203

Affected products

Vendor	Product
clerk.io	clerk.io

Description

The Clerk WordPress plugin before 4.0.0 is affected by time-based attacks in the validation function for all API requests due to the usage of comparison operators to verify API keys against the ones stored in the site options.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2022-3907
[Exploit reference]https://wpscan.com/vulnerability/7920c1c1-709d-4b1f-ac08-f0a02ddb329c
[Exploit reference]https://wpscan.com/vulnerability/7920c1c1-709d-4b1f-ac08-f0a02ddb329c

Related CVEs

Same CWE

CVE-2026-11289 — Side-channel information leakage in Paint in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via... (6.5 MEDIUM)
CVE-2026-11284 — Side-channel information leakage in PerformanceAPIs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origi... (6.5 MEDIUM)
CVE-2026-45294 — FreeScout is a free help desk and shared inbox built with PHP's Laravel framework (5.3 MEDIUM)
CVE-2026-45410 — TREK is a collaborative travel planner (5.3 MEDIUM)
CVE-2025-11145 — Observable Discrepancy, Exposure of Sensitive Information to an Unauthorized Actor, Exposure of Private Personal Information to an Unauth... (7.5 HIGH)