CVE-2022-3366
PublishPress Capabilities < 2.5.2 - Admin+ PHP Objection Injection
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 7.2EPSS 1.1%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
31 Oct 2022Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The PublishPress Capabilities WordPress plugin before 2.5.2, PublishPress Capabilities Pro WordPress plugin before 2.5.2 unserializes the content of imported files, which could lead to PHP object injection attacks by administrators, on multisite WordPress configurations. Successful exploitation in this case requires other plugins with a suitable gadget chain to be present on the site.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected products
Unknown · PublishPress Capabilities ProUnknown · PublishPress Capabilities – User Role Access, Editor Permissions, Admin MenusWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →