CVE-2022-3366

2022-10-3116:15:11

CWE-502

[email protected]

web.nvd.nist.gov

publishpress capabilities

php object injection

wordpress configurations

multisite

cve-2022-3366

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

42.9%

JSON

The PublishPress Capabilities WordPress plugin before 2.5.2, PublishPress Capabilities Pro WordPress plugin before 2.5.2 unserializes the content of imported files, which could lead to PHP object injection attacks by administrators, on multisite WordPress configurations. Successful exploitation in this case requires other plugins with a suitable gadget chain to be present on the site.

Affected configurations

Nvd

Node

publishpresscapabilitiesRange<2.5.2-wordpress

publishpresscapabilitiesRange<2.5.2prowordpress

VendorProductVersionCPE
publishpresscapabilities*cpe:2.3:a:publishpress:capabilities:*:*:*:*:-:wordpress:*:*
publishpresscapabilities*cpe:2.3:a:publishpress:capabilities:*:*:*:*:pro:wordpress:*:*

Vendor	Product	Version	CPE
publishpress	capabilities	*	cpe:2.3:a:publishpress:capabilities:::::-:wordpress::
publishpress	capabilities	*	cpe:2.3:a:publishpress:capabilities:::::pro:wordpress::