CVE-2022-4101
Published: 16 January 2023
Summary
CVE-2022-4101 is a critical-severity an unspecified weakness vulnerability in Images Optimize And Upload Cf7 Project Images Optimize And Upload Cf7. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Images Optimize and Upload CF7 WordPress plugin through version 2.1.4 contains an unauthenticated file deletion flaw. An AJAX action fails to validate the supplied file path, enabling path traversal that can target arbitrary files on the underlying server. The issue carries a CVSS 3.1 score of 9.1 reflecting network-accessible impact to integrity and availability without requiring authentication or user interaction.
An unauthenticated attacker can invoke the AJAX endpoint with a crafted path to delete chosen files, resulting in denial of service or removal of critical site components. No special privileges or prior access are needed beyond reaching the plugin’s exposed action.
EPSS for the vulnerability rose from lower values to a peak of 0.5627 on 2025-12-11 before receding to the current 0.4082, indicating that exploitation interest increased well after the January 2023 disclosure and that the issue merits renewed attention.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-51471
Vulnerability details
The Images Optimize and Upload CF7 WordPress plugin through 2.1.4 does not validate the file to be deleted via an AJAX action available to unauthenticated users, which could allow them to delete arbitrary files on the server via path traversal…
more
attack.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.