WPtouch < 4.3.45 - Admin+ PHP Object Injection
CVE-2022-3417

8.8HIGH

Key Information:

Vendor: Wordpress
Status: WPtouch
Vendor: CVE Published:; 9 January 2023

Summary

The WPtouch plugin for WordPress prior to version 4.3.45 contains a vulnerability that allows for PHP object injection through the unserialization of an imported settings file. If a user imports a malicious settings file—whether intentionally or accidentally—this could lead to severe security issues due to the exploitation of a suitable gadget chain present in the blog. It is crucial for users of the WPtouch plugin to ensure they are running an updated version to mitigate the risk of such attacks.

Affected Version(s)

WPtouch 0 < 4.3.45

References

https://wpscan.com/vulnerability/55772932-eebd-475b-b5df-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 9, 2023
Vulnerability Reserved
Oct 7, 2022

Credit

Nguyen Duy Quoc Khanh

WPScan