How severe is CVE-2022-2446?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.2 out of 10.

What type of vulnerability is CVE-2022-2446?

This is classified as CWE-502, which is a common weakness in software security.

CVE-2022-2446 - HIGH Severity | CVSS 7.2

Vulnerability Description

The WP Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'current_theme_root' parameter in versions up to, and including 1.2.9. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.

Related Vulnerabilities

CVE-2015-5164

HIGH

CVSS:7.2(High)

The Qpid server on Red Hat Satellite 6 does not properly restrict message types, which allows remote authenticated users with administrative access on a managed content host to execute arbitrary code ...

CWE-5022015

CVE-2016-4978

HIGH

CVSS:7.2(High)

The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemis REST component in Apache ActiveMQ Artemis before 1.4.0 might allow remote auth...

CWE-5022016

CVE-2016-8648

HIGH

CVSS:7.2(High)

It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execute r...

CWE-5022016

CVE-2017-14141

HIGH

CVSS:7.2(High)

The wiki_decode Developer System Helper function in the admin panel in Kaltura before 13.2.0 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafte...

CWE-5022017

CVE-2018-1000509

HIGH

CVSS:7.2(High)

Redirection version 2.7.1 contains a Serialisation vulnerability possibly allowing ACE vulnerability in Settings page AJAX that can result in could allow admin to execute arbitrary code in some circum...

CWE-5022018

CVE-2018-1000527

HIGH

CVSS:7.2(High)

Froxlor version <= 0.9.39.5 contains a PHP Object Injection vulnerability in Domain name form that can result in Possible information disclosure and remote code execution. This attack appear to be exp...

CWE-5022018