CVE-2022-4060
Published: 16 January 2023
Summary
CVE-2022-4060 is a critical-severity an unspecified weakness vulnerability in Odude User Post Gallery. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The User Post Gallery WordPress plugin through version 2.19 is affected by CVE-2022-4060, a critical flaw in which the plugin fails to restrict the callback functions that can be invoked by users. This permits arbitrary code execution on any site running the vulnerable plugin. The issue carries a CVSS v3.1 score of 9.8, reflecting network-accessible attack vectors with no required authentication or user interaction.
Unauthenticated visitors can directly exploit the weakness to invoke arbitrary callbacks, resulting in full compromise of confidentiality, integrity, and availability on the target WordPress installation. The published description explicitly states that any site visitor can run code, enabling outcomes such as data exfiltration, site defacement, or persistent backdoor installation.
The associated EPSS score has remained elevated, with a current value of 0.8872 and a recorded peak of 0.9112. WPScan has published technical details on the vulnerability at the referenced advisory URL.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-51437
Vulnerability details
The User Post Gallery WordPress plugin through 2.19 does not limit what callback functions can be called by users, making it possible to any visitors to run code on sites running it.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.