CVE-2022-0687

Amelia < 1.0.46 - Manager+ RCE

EPSS 1.4%CWE-434

Vexday Risk Score

3Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS —EPSS 1.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

21 Mar 2022Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The Amelia WordPress plugin before 1.0.47 stores image blobs into actual files whose extension is controlled by the user, which may lead to PHP backdoors being uploaded onto the site. This vulnerability can be exploited by logged-in users with the custom "Amelia Manager" role.

Affected products

Unknown · Amelia – Events & Appointments Booking Calendar

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://wpscan.com/vulnerability/3cf05815-9b74-4491-a935-d69a0834146c