CVE-2022-1008

One Click Demo Import < 3.1.0 - Admin+ Arbitrary File Upload

EPSS 1.7%CWE-434

Vexday Risk Score

3Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS —EPSS 1.7%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

11 Apr 2022Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The One Click Demo Import WordPress plugin before 3.1.0 does not validate the imported file, allowing high privilege users such as admin to upload arbitrary files (such as PHP) even when FILE_MODS and FILE_EDIT are disallowed

Affected products

Unknown · One Click Demo Import

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://plugins.trac.wordpress.org/changeset/2695999 https://wpscan.com/vulnerability/0c2e2b4d-49eb-4fd9-b9f0-3feae80c1082