Cyber Resilience

CVE-2022-1103

HighPublic PoC

Published: 16 May 2022

Published
16 May 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1664 95.1th percentile
Risk Priority 28 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-1103 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Advanced Uploader Project Advanced Uploader. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 4.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Advanced Uploader WordPress plugin through version 4.2 contains an arbitrary file upload flaw (CWE-434) that permits any authenticated user to upload files with arbitrary extensions, including PHP scripts. The vulnerability affects the plugin's file-handling logic and carries a CVSS 3.1 base score of 8.8, reflecting network attack vector, low attack complexity, and low privileges required.

An attacker with subscriber-level credentials can send a crafted upload request to place a web shell or other malicious payload on the server, resulting in remote code execution with full confidentiality, integrity, and availability impact on the affected WordPress site. No user interaction is needed beyond initial authentication.

The referenced WPScan entry documents the issue but does not detail vendor patches or configuration workarounds. The associated EPSS score has remained flat at 0.1664 with no material increase since disclosure.

EU & UK References

Vulnerability details

The Advanced Uploader WordPress plugin through 4.2 allows any authenticated users like subscriber to upload arbitrary files, such as PHP, which could lead to RCE

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

advanced uploader project
advanced uploader
≤ 4.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

addresses: CWE-434

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

addresses: CWE-434

Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.

References