Lucene search

WPScanCVE-2022-2046

HistoryAug 08, 2022 - 2:15 p.m.

CVE-2022-2046

2022-08-0814:15:08

CWE-434

WPScan

web.nvd.nist.gov

directorist

wordpress

plugin

cve-2022-2046

security vulnerability

code execution

nvd

CVSS3

4.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

AI Score

5.1

Confidence

High

EPSS

0.001

Percentile

21.4%

JSON

The Directorist WordPress plugin before 7.2.3 allows administrators to download other plugins from the same vendor directly to the site, but does not check the URL domain it gets the zip files from. This could allow administrators to run code on the server, which is a problem in multisite configurations.

Affected configurations

Nvd

Vulners

Node

wpwaxdirectoristRange<7.2.3wordpress

VendorProductVersionCPE
wpwaxdirectorist*cpe:2.3:a:wpwax:directorist:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
wpwax	directorist	*	cpe:2.3:a:wpwax:directorist::::::wordpress::*

CNA Affected

[
  {
    "product": "Directorist – WordPress Business Directory Plugin with Classified Ads Listings",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "7.2.3",
        "status": "affected",
        "version": "7.2.3",
        "versionType": "custom"
      }
    ]
  }
]

References

plugins.trac.wordpress.org/changeset/2752034/directorist?contextall=1&old=2731298&old_path=%2Fdirectorist

wpscan.com/vulnerability/03a04eab-be47-4195-af77-0df2a32eb807

Social References

CVSS3

4.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

AI Score

5.1

Confidence

High

EPSS

0.001

Percentile

21.4%

JSON

Related for CVE-2022-2046