4.9
CVE-2022-0246
- EPSS 0.3%
- Veröffentlicht 11.04.2022 15:15:08
- Zuletzt bearbeitet 21.11.2024 06:38:13
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginiQ Block Country < 1.2.13 - Admin+ Arbitrary File Deletion via Zip Slip
The settings of the iQ Block Country WordPress plugin before 1.2.13 can be exported or imported using its backup functionality. An authorized user can import preconfigured settings of the plugin by uploading a zip file. After the uploading process, files in the uploaded zip file are extracted one by one. During the extraction process, existence of a file is checked. If the file exists, it is deleted without any security control by only considering the name of the extracted file. This behavior leads to "Zip Slip" vulnerability.
Mögliche Gegenmaßnahme
iQ Block Country: Update to version 1.2.13, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
iQ Block Country
Version
[*, 1.2.13)
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Webence ≫ Iq Block Country SwPlatformwordpress Version < 1.2.13
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.3% | 0.531 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.9 | 1.2 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
|
| nvd@nist.gov | 4 | 8 | 2.9 |
AV:N/AC:L/Au:S/C:N/I:P/A:N
|
CWE-73 External Control of File Name or Path
The product allows user input to control or influence paths or file names that are used in filesystem operations.