CVE-2022-3417 WPtouch < 4.3.45 - Admin+ PHP Object Injection

2023-01-0922:13:31

WPScan

www.cve.org

cve-2022-3417

php object injection

wordpress

8.9 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

58.7%

JSON

The WPtouch WordPress plugin before 4.3.45 unserialises the content of an imported settings file, which could lead to PHP object injections issues when an user import (intentionally or not) a malicious settings file and a suitable gadget chain is present on the blog.

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "WPtouch",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "4.3.45"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]

References

wpscan.com/vulnerability/55772932-eebd-475b-b5df-e80fab288ee5