CVE-2022-3366

PublishPress Capabilities < 2.5.2 - Admin+ PHP Objection Injection

CVSS 7.2 HIGHEPSS 1.1%CWE-502

Vexday Risk Score

21Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 7.2EPSS 1.1%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

31 out 2022Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

The PublishPress Capabilities WordPress plugin before 2.5.2, PublishPress Capabilities Pro WordPress plugin before 2.5.2 unserializes the content of imported files, which could lead to PHP object injection attacks by administrators, on multisite WordPress configurations. Successful exploitation in this case requires other plugins with a suitable gadget chain to be present on the site.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Produtos afetados

Unknown · PublishPress Capabilities Pro Unknown · PublishPress Capabilities – User Role Access, Editor Permissions, Admin Menus

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://wpscan.com/vulnerability/72639924-e7a7-4f7d-bd50-015d05ffd4fb