Cyber Resilience

CVE-2022-34487

Critical

Published: 21 July 2022

Published
21 July 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4840 97.8th percentile
Risk Priority 49 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-34487 is a critical-severity an unspecified weakness vulnerability in Oxilab Shortcode Addons. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability is an unauthenticated arbitrary option update flaw, tracked as CVE-2022-34487, that affects the Shortcode Addons plugin for WordPress in versions up to and including 3.0.2. It carries a CVSS 3.1 base score of 9.8 and is associated with CWE-264. The issue resides in plugin code authored by biplob018 and allows modification of site options without any access controls.

An unauthenticated attacker can send crafted requests over the network to update arbitrary WordPress options. Successful exploitation grants the ability to alter configuration values, which can lead to full site takeover including administrative access, data manipulation, or service disruption.

References from Patchstack and the WordPress plugin repository indicate that the flaw was addressed by updating to version 3.0.3, with the fix available through the standard plugin update mechanism on WordPress.org.

The associated EPSS score reached a peak of 0.5358 before receding to its current value of 0.4840.

EU & UK References

Vulnerability details

Unauthenticated Arbitrary Option Update vulnerability in biplob018's Shortcode Addons plugin <= 3.0.2 at WordPress.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

oxilab
shortcode addons
≤ 3.0.3

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References