PHAR Deserialization Vulnerability in Jetpack CRM Plugin for WordPress
CVE-2022-3342
7.5HIGH
Key Information:
- Vendor
Wordpress
- Vendor
- CVE Published:
- 20 October 2023
What is CVE-2022-3342?
The Jetpack CRM plugin for WordPress has a vulnerability related to PHAR deserialization through the 'zbscrmcsvimpf' parameter in the 'zeroBSCRM_CSVImporterLitehtml_app' function. Although nonce verification is performed, failure to validate during two key steps leaves the system exposed. If an attacker uploads a crafted phar:// archive and convinces an administrator to follow a malicious link, they can exploit this vulnerability to inject objects into the execution stream.
Affected Version(s)
Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation * <= 5.3.1