CVE-2022-2437
Published: 18 July 2022
Summary
CVE-2022-2437 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Slickremix Feed Them Social. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 6.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The Feed Them Social plugin for WordPress, versions up to and including 2.9.8.5, contains a deserialization of untrusted input flaw (CWE-502) triggered through the fts_url parameter. The vulnerability permits an attacker to supply a PHAR wrapper that causes PHP to deserialize attacker-controlled data and invoke arbitrary object methods when a suitable POP chain is available.
Unauthenticated remote attackers can exploit the issue over the network by first uploading a file containing a serialized payload and then referencing it via the vulnerable parameter. Successful exploitation can lead to arbitrary code execution or other malicious actions, consistent with the CVSS 9.8 rating that reflects no required authentication or user interaction.
Public advisories from Wordfence and the plugin's Trac changeset history indicate that the maintainers addressed the flaw in a subsequent release; site operators are therefore expected to update the Feed Them Social plugin to a patched version. The associated EPSS score has remained flat at 0.1158 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-34698
Vulnerability details
The Feed Them Social – for Twitter feed, Youtube and more plugin for WordPress is vulnerable to deserialization of untrusted input via the 'fts_url' parameter in versions up to, and including 2.9.8.5. This makes it possible for unauthenticated attackers to…
more
call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.
Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.
Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.
Validates or rejects untrusted serialized data before deserialization occurs.
Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.
Integrity verification of serialized information can detect tampering before deserialization occurs.
Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.