CVE-2022-4061
Published: 19 December 2022
Summary
CVE-2022-4061 is a high-severity an unspecified weakness vulnerability in Ultimatemember Jobboardwp. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 3.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability CVE-2022-4061 affects the JobBoardWP WordPress plugin prior to version 1.2.2. Its file upload functionalities lack proper validation of file names and types, which permits the upload of arbitrary files such as PHP scripts.
Unauthenticated attackers can exploit the flaw over the network with low complexity and no required user interaction. Successful exploitation allows them to upload malicious files and achieve high integrity impact on the affected site, consistent with the reported CVSS 7.5 score.
The WPScan advisory linked in the references identifies the missing validation and indicates that the issue is resolved by updating to JobBoardWP 1.2.2 or later. The EPSS score has remained steady at its peak value of 0.2725 with no material rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-51438
Vulnerability details
The JobBoardWP WordPress plugin before 1.2.2 does not properly validate file names and types in its file upload functionalities, allowing unauthenticated users to upload arbitrary files such as PHP.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.