Visualizer: Tables and Charts Manager for WordPress <= 3.7.9 - Authenticated (Contributor+) PHAR Deserialization
CVE-2022-2444

8.8HIGH

Key Information:

Vendor: Themeisle
Status: Visualizer: Tables And Charts Manager For WordPress
Vendor: CVE Published:; 18 July 2022

What is CVE-2022-2444?

The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to deserialization of untrusted input via the 'remote_data' parameter in versions up to, and including 3.7.9. This makes it possible for authenticated attackers with contributor privileges and above to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.

Affected Version(s)

Visualizer: Tables and Charts Manager for WordPress * <= 3.7.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://github.com/Codeinwp/visualizer/blob/master/classe...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 18, 2022
Vulnerability Reserved
Jul 15, 2022

Credit

Rasoul Jahanshahi

Themeisle

What is CVE-2022-2444?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit