CVE-2022-2446
Severidad:
ALTA
Type:
CWE-502
Deserialización de datos no confiables
Fecha de publicación:
13/09/2024
Última modificación:
13/09/2024
Descripción
*** Pendiente de traducción *** The WP Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'current_theme_root' parameter in versions up to, and including 1.2.9. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
Impacto
Puntuación base 3.x
7.20
Severidad 3.x
ALTA