Cyber Resilience

CVE-2022-0320

Critical

Published: 01 February 2022

Published
01 February 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0451 89.4th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-0320 is a critical-severity Path Traversal (CWE-22) vulnerability in Wpdeveloper Essential Addons For Elementor. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 10.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The Essential Addons for Elementor WordPress plugin before version 5.0.5 contains an improper input validation flaw tracked as CVE-2022-0320. The component fails to validate or sanitize template data supplied to PHP include statements, enabling path traversal under CWE-22. The issue received a CVSS 3.1 score of 9.8 reflecting network-accessible exploitation without authentication or user interaction.

Unauthenticated attackers can supply crafted template parameters to read arbitrary files on the server. Successful LFI can be escalated to remote code execution when combined with user-uploaded files or other server-side techniques that place attacker-controlled content in locations reachable by the include.

Public advisories from WPScan identify the root cause in the affected plugin versions and recommend updating to 5.0.5 or later to close the inclusion path.

EPSS for the CVE rose from a low baseline to a recorded peak of 0.0600 before receding to the current value of 0.0451, indicating measurable post-disclosure exploitation interest.

EU & UK References

Vulnerability details

The Essential Addons for Elementor WordPress plugin before 5.0.5 does not validate and sanitise some template data before it them in include statements, which could allow unauthenticated attackers to perform Local File Inclusion attack and read arbitrary files on the…

more

server, this could also lead to RCE via user uploaded files or other LFI to RCE techniques.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

wpdeveloper
essential addons for elementor
≤ 5.0.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References