Cyber Resilience

CVE-2022-3416

HighPublic PoC

Published: 09 January 2023

Published
09 January 2023
Modified
09 April 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0124 79.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-3416 is a high-severity an unspecified weakness vulnerability in Bravenewcode Wptouch. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 20.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The WPtouch WordPress plugin before version 4.3.45 contains an insufficient image validation flaw during file upload handling. This affects the plugin component responsible for processing uploads by high-privilege accounts, permitting arbitrary file types to be written to the server in configurations such as multisite WordPress deployments where such actions should be restricted.

An attacker with administrative privileges can exploit the issue over the network by submitting crafted upload requests that bypass intended checks. Successful exploitation grants the ability to place malicious files on the server, potentially leading to full compromise of confidentiality, integrity, and availability as reflected in the CVSS 7.2 score.

The referenced WPScan disclosures identify the affected versions and point to remediation through an update to 4.3.45 or later. The associated EPSS score rose materially from a low baseline to a peak of 0.1510 before receding to the current value of 0.0124, indicating a period of increased exploitation interest following disclosure.

EU & UK References

Vulnerability details

The WPtouch WordPress plugin before 4.3.45 does not properly validate images to be uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite…

more

setup)

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

bravenewcode
wptouch
≤ 4.3.45

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References