CVE-2022-4101

2023-01-1616:15:11

[email protected]

web.nvd.nist.gov

cve-2022-4101

images optimize

upload

cf7

wordpress

plugin

security

vulnerability

path traversal

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

9.3 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.5%

JSON

The Images Optimize and Upload CF7 WordPress plugin through 2.1.4 does not validate the file to be deleted via an AJAX action available to unauthenticated users, which could allow them to delete arbitrary files on the server via path traversal attack.

Affected configurations

Vulners

NVD

Node

images_optimize_and_upload_cf7_projectimages_optimize_and_upload_cf7Range≤2.1.4

VendorProductVersionCPE
images_optimize_and_upload_cf7_projectimages_optimize_and_upload_cf7*cpe:2.3:a:images_optimize_and_upload_cf7_project:images_optimize_and_upload_cf7:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
images_optimize_and_upload_cf7_project	images_optimize_and_upload_cf7	*	cpe:2.3:a:images_optimize_and_upload_cf7_project:images_optimize_and_upload_cf7::::::::

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "Images Optimize and Upload CF7",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThanOrEqual": "2.1.4"
      }
    ],
    "defaultStatus": "affected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]