CVE-2022-34487
Published: 21 July 2022
Summary
CVE-2022-34487 is a critical-severity an unspecified weakness vulnerability in Oxilab Shortcode Addons. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability is an unauthenticated arbitrary option update flaw, tracked as CVE-2022-34487, that affects the Shortcode Addons plugin for WordPress in versions up to and including 3.0.2. It carries a CVSS 3.1 base score of 9.8 and is associated with CWE-264. The issue resides in plugin code authored by biplob018 and allows modification of site options without any access controls.
An unauthenticated attacker can send crafted requests over the network to update arbitrary WordPress options. Successful exploitation grants the ability to alter configuration values, which can lead to full site takeover including administrative access, data manipulation, or service disruption.
References from Patchstack and the WordPress plugin repository indicate that the flaw was addressed by updating to version 3.0.3, with the fix available through the standard plugin update mechanism on WordPress.org.
The associated EPSS score reached a peak of 0.5358 before receding to its current value of 0.4840.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-37442
Vulnerability details
Unauthenticated Arbitrary Option Update vulnerability in biplob018's Shortcode Addons plugin <= 3.0.2 at WordPress.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.