CVE-2022-28590
Published: 03 May 2022
Summary
CVE-2022-28590 is a high-severity an unspecified weakness vulnerability in Pixelimity Pixelimity. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 3.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-28590 is a remote code execution vulnerability in Pixelimity version 1.0 that can be triggered through the administrative endpoint admin/admin-ajax.php when the action parameter is set to install_theme. The flaw received a CVSS 3.1 base score of 7.2, reflecting network attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability when successfully exploited.
An attacker with administrative credentials can supply a malicious theme package via the affected AJAX handler, resulting in arbitrary code execution on the underlying server. Because the vector requires high privileges and no user interaction, the attack is limited to authenticated administrators who have already gained access to the administrative interface.
Public references consist solely of GitHub issue reports that document the flaw; no vendor advisory, patch release, or official mitigation guidance is referenced in the available sources. The associated EPSS score has remained flat at 0.3931 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-33032
Vulnerability details
A Remote Code Execution (RCE) vulnerability exists in Pixelimity 1.0 via admin/admin-ajax.php?action=install_theme.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.