Cyber Resilience

CVE-2022-1560

MediumPublic PoC

Published: 16 May 2022

Published
16 May 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.2244 96.0th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-1560 is a medium-severity Path Traversal (CWE-22) vulnerability in Amministrazione Aperta Project Amministrazione Aperta. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 4.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Amministrazione Aperta WordPress plugin before version 3.8 contains a local file inclusion vulnerability (CWE-22) in which the open parameter is used directly in an include statement without validation. The flaw resides in plugin code that is not reachable via direct unauthenticated requests because a fatal error occurs first, limiting the practical attack surface to authenticated contexts.

An attacker can exploit the issue by accessing the affected functionality while logged in as an administrator, or by crafting a malicious link that a logged-in administrator is induced to open. Successful exploitation grants the ability to include and read arbitrary local files, resulting in disclosure of sensitive information with no impact on integrity or availability.

Public references from WPScan identify the affected plugin versions and document the corrected release at 3.8, indicating that administrators should apply the vendor update to eliminate the vulnerable code path.

The EPSS score for this CVE reached a peak of 0.2777 in late 2025 before receding to the current value of 0.2244.

EU & UK References

Vulnerability details

The Amministrazione Aperta WordPress plugin before 3.8 does not validate the open parameter before using it in an include statement, leading to a Local File Inclusion issue. The original advisory mentions that unauthenticated users can exploit this, however the affected…

more

file generates a fatal error when accessed directly and the affected code is not reached. The issue can be exploited via the dashboard when logged in as an admin, or by making a logged in admin open a malicious link

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

amministrazione aperta project
amministrazione aperta
≤ 3.8

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References