Cyber Resilience

CVE-2022-4101

CriticalPublic PoC

Published: 16 January 2023

Published
16 January 2023
Modified
04 April 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.4082 97.5th percentile
Risk Priority 43 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-4101 is a critical-severity an unspecified weakness vulnerability in Images Optimize And Upload Cf7 Project Images Optimize And Upload Cf7. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Images Optimize and Upload CF7 WordPress plugin through version 2.1.4 contains an unauthenticated file deletion flaw. An AJAX action fails to validate the supplied file path, enabling path traversal that can target arbitrary files on the underlying server. The issue carries a CVSS 3.1 score of 9.1 reflecting network-accessible impact to integrity and availability without requiring authentication or user interaction.

An unauthenticated attacker can invoke the AJAX endpoint with a crafted path to delete chosen files, resulting in denial of service or removal of critical site components. No special privileges or prior access are needed beyond reaching the plugin’s exposed action.

EPSS for the vulnerability rose from lower values to a peak of 0.5627 on 2025-12-11 before receding to the current 0.4082, indicating that exploitation interest increased well after the January 2023 disclosure and that the issue merits renewed attention.

EU & UK References

Vulnerability details

The Images Optimize and Upload CF7 WordPress plugin through 2.1.4 does not validate the file to be deleted via an AJAX action available to unauthenticated users, which could allow them to delete arbitrary files on the server via path traversal…

more

attack.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

images optimize and upload cf7 project
images optimize and upload cf7
≤ 2.1.4

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References