CVE-2022-3416
Published: 09 January 2023
Summary
CVE-2022-3416 is a high-severity an unspecified weakness vulnerability in Bravenewcode Wptouch. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 20.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The WPtouch WordPress plugin before version 4.3.45 contains an insufficient image validation flaw during file upload handling. This affects the plugin component responsible for processing uploads by high-privilege accounts, permitting arbitrary file types to be written to the server in configurations such as multisite WordPress deployments where such actions should be restricted.
An attacker with administrative privileges can exploit the issue over the network by submitting crafted upload requests that bypass intended checks. Successful exploitation grants the ability to place malicious files on the server, potentially leading to full compromise of confidentiality, integrity, and availability as reflected in the CVSS 7.2 score.
The referenced WPScan disclosures identify the affected versions and point to remediation through an update to 4.3.45 or later. The associated EPSS score rose materially from a low baseline to a peak of 0.1510 before receding to the current value of 0.0124, indicating a period of increased exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-42793
Vulnerability details
The WPtouch WordPress plugin before 4.3.45 does not properly validate images to be uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite…
more
setup)
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.