CVE-2022-1392
Published: 25 April 2022
Summary
CVE-2022-1392 is a high-severity Path Traversal (CWE-22) vulnerability in Commoninja Videos Sync Pdf. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Videos sync PDF WordPress plugin through version 1.7.4 contains a local file inclusion vulnerability (CWE-22) because it fails to validate the p parameter before passing it to an include statement. The flaw affects any deployment of this plugin and carries a CVSS 3.1 base score of 7.5, reflecting network-accessible, unauthenticated read access to arbitrary files on the server.
An unauthenticated remote attacker can supply a crafted p value to traverse the filesystem and retrieve sensitive local files such as wp-config.php or other configuration data. Successful exploitation discloses contents that may contain database credentials or other secrets without requiring user interaction or elevated privileges.
Public references on WPScan and PacketStorm document the issue and provide proof-of-concept requests, but do not detail official patches or mitigation steps beyond the implication that sites should update or remove the affected plugin. The EPSS score reached a peak of 0.6516 and currently sits at 0.5089, indicating sustained but not sharply escalating exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-24709
Vulnerability details
The Videos sync PDF WordPress plugin through 1.7.4 does not validate the p parameter before using it in an include statement, which could lead to Local File Inclusion issues
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.