CVE-2022-0440

Catch Themes Demo Import < 2.1.1 - Admin+ Remote Code Execution

EPSS 1.4%CWE-434

Vexday Risk Score

3Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS —EPSS 1.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

07 mar 2022Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

The Catch Themes Demo Import WordPress plugin before 2.1.1 does not validate one of the file to be imported, which could allow high privivilege admin to upload an arbitrary PHP file and gain RCE even in the case of an hardened blog (ie DISALLOW_UNFILTERED_HTML, DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS constants set to true)

Produtos afetados

Unknown · Catch Themes Demo Import

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://wpscan.com/vulnerability/2239095f-8a66-4a5d-ab49-1662a40fddf1