CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
42.9%
The PublishPress Capabilities WordPress plugin before 2.5.2, PublishPress Capabilities Pro WordPress plugin before 2.5.2 unserializes the content of imported files, which could lead to PHP object injection attacks by administrators, on multisite WordPress configurations. Successful exploitation in this case requires other plugins with a suitable gadget chain to be present on the site.
Vendor | Product | Version | CPE |
---|---|---|---|
publishpress | capabilities | * | cpe:2.3:a:publishpress:capabilities:*:*:*:*:-:wordpress:*:* |
publishpress | capabilities | * | cpe:2.3:a:publishpress:capabilities:*:*:*:*:pro:wordpress:*:* |
[
{
"vendor": "Unknown",
"product": "PublishPress Capabilities – User Role Access, Editor Permissions, Admin Menus",
"versions": [
{
"version": "2.5.2",
"status": "affected",
"lessThan": "2.5.2",
"versionType": "custom"
}
]
},
{
"vendor": "Unknown",
"product": "PublishPress Capabilities Pro",
"versions": [
{
"version": "2.5.2",
"status": "affected",
"lessThan": "2.5.2",
"versionType": "custom"
}
]
}
]
More