CVE-2022-0320
Published: 01 February 2022
Summary
CVE-2022-0320 is a critical-severity Path Traversal (CWE-22) vulnerability in Wpdeveloper Essential Addons For Elementor. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 10.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The Essential Addons for Elementor WordPress plugin before version 5.0.5 contains an improper input validation flaw tracked as CVE-2022-0320. The component fails to validate or sanitize template data supplied to PHP include statements, enabling path traversal under CWE-22. The issue received a CVSS 3.1 score of 9.8 reflecting network-accessible exploitation without authentication or user interaction.
Unauthenticated attackers can supply crafted template parameters to read arbitrary files on the server. Successful LFI can be escalated to remote code execution when combined with user-uploaded files or other server-side techniques that place attacker-controlled content in locations reachable by the include.
Public advisories from WPScan identify the root cause in the affected plugin versions and recommend updating to 5.0.5 or later to close the inclusion path.
EPSS for the CVE rose from a low baseline to a recorded peak of 0.0600 before receding to the current value of 0.0451, indicating measurable post-disclosure exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-15489
Vulnerability details
The Essential Addons for Elementor WordPress plugin before 5.0.5 does not validate and sanitise some template data before it them in include statements, which could allow unauthenticated attackers to perform Local File Inclusion attack and read arbitrary files on the…
more
server, this could also lead to RCE via user uploaded files or other LFI to RCE techniques.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.