7.2

CVE-2022-2268

Exploit

EPSS 0.96%
Veröffentlicht 04.07.2022 13:15:08
Zuletzt bearbeitet 21.11.2024 07:00:39
Quelle contact@wpscan.com
CVE-Watchlists
Login
Unerledigt
Login

WP All Import <= 3.6.7 - Admin+ Arbitrary File Upload

The Import any XML or CSV File to WordPress plugin before 3.6.8 accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE

Mögliche Gegenmaßnahme

WP All Import – XML, CSV & Excel Import: Update to version 3.6.8, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt WP All Import – XML, CSV & Excel Import

Version *-3.6.7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Soflyy ≫ Wp All Import SwPlatformwordpress Version < 3.6.8

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.96%	0.759

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

https://wpscan.com/vulnerability/578093db-a025-4148-8c4b-ec2df31743f7

Third Party Advisory

Exploit

https://www.wordfence.com/threat-intel/vulnerabilities/id/1072ad88-5760-4f2a-82b3-d515d6f73e52

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-2268

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-2268

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-2268

EUVD