CVE-2023-2288

2023-05-3008:15:10

CWE-502

[email protected]

web.nvd.nist.gov

otter

wordpress

plugin

vulnerability

cve-2023-2288

phar

deserialization

nvd

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.6 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

45.5%

JSON

The Otter WordPress plugin before 2.2.6 does not sanitize some user-controlled file paths before performing file operations on them. This leads to a PHAR deserialization vulnerability on PHP < 8.0 using the phar:// stream wrapper.

Affected configurations

Vulners

NVD

Node

inedootterRange<2.2.6

VendorProductVersionCPE
inedootter*cpe:2.3:a:inedo:otter:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
inedo	otter	*	cpe:2.3:a:inedo:otter::::::::

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "Otter",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "2.2.6"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]