← volver
CVE-2022-4265

Replyable < 2.2.10 - Subscriber+ PHP Object Injection

EPSS 0.5%CWE-352
Vexday Risk Score
3Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS EPSS 0.5%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
06 mar 2023Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
The Replyable WordPress plugin before 2.2.10 does not validate the class name submitted by the request when instantiating an object in the prompt_dismiss_notice action and also lacks CSRF check in the related action. This could allow any authenticated users, such as subscriber to perform Object Injection attacks. The attack could also be done via a CSRF vector against any authenticated user
Productos afectados
Unknown · Replyable

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://wpscan.com/vulnerability/095cba08-7edd-41fb-9776-da151c0885dd