216.73.217.64

CVE-2022-2440

· Published 29/08/2024 11:15 · Modified 29/08/2024 13:25

Labels: CVE-2022-2440 2024-08-29CVE-2022-2440CWE-502[email protected]

Essential information

Published
29/08/2024 11:15
Modified
29/08/2024 13:25
Author
Creator
CVSS
7.2 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

The Theme Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'images_array' parameter in versions up to, and including 2.8. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

References