Cyber Resilience

CVE-2022-4324

HighPublic PoC

Published: 02 January 2023

Published
02 January 2023
Modified
10 April 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0117 79.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-4324 is a high-severity an unspecified weakness vulnerability in Wpgogo Custom Field Template. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 20.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Custom Field Template WordPress plugin before version 2.5.8 is vulnerable to PHP object injection because it unserializes the contents of an imported file without sufficient validation. This occurs specifically when handling a Customizer Styling file, and the flaw is present whenever a suitable gadget chain exists elsewhere on the site.

A high-privilege user such as an administrator can trigger the issue, either intentionally or after being tricked into importing a malicious file. Successful exploitation yields high impact on confidentiality, integrity, and availability, consistent with the CVSS 7.2 rating that assumes network-reachable attack vectors and low attack complexity once the file is processed.

WPScan advisories for the vulnerability recommend updating the plugin to version 2.5.8 or later to eliminate the unsafe deserialization behavior. The EPSS score rose from a low baseline to a peak of 0.1415 before receding to the current value of 0.0117, indicating a temporary increase in observed exploitation interest after disclosure.

EU & UK References

Vulnerability details

The Custom Field Template WordPress plugin before 2.5.8 unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import (intentionally or not) a malicious Customizer Styling file and a suitable…

more

gadget chain is present on the blog.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

wpgogo
custom field template
≤ 2.5.8

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References