WPtouch < 4.3.45 - Admin+ PHP Object Injection
CVE-2022-3417

8.8HIGH

Key Information:

Vendor: Wordpress
Status: WPtouch
Vendor: CVE Published:; 9 January 2023

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The WPtouch plugin for WordPress prior to version 4.3.45 contains a vulnerability that allows for PHP object injection through the unserialization of an imported settings file. If a user imports a malicious settings file—whether intentionally or accidentally—this could lead to severe security issues due to the exploitation of a suitable gadget chain present in the blog. It is crucial for users of the WPtouch plugin to ensure they are running an updated version to mitigate the risk of such attacks.

Affected Version(s)

WPtouch 0 < 4.3.45

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2022-3417 - Proof of Concept

References

https://wpscan.com/vulnerability/55772932-eebd-475b-b5df-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

🟡
Public PoC available
Jan 9, 2023
👾
Exploit known to exist
Jan 9, 2023
Vulnerability published
Jan 9, 2023
Vulnerability Reserved
Oct 7, 2022

Credit

Nguyen Duy Quoc Khanh

WPScan