CVE-2022-4324
Published: 02 January 2023
Summary
CVE-2022-4324 is a high-severity an unspecified weakness vulnerability in Wpgogo Custom Field Template. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 20.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Custom Field Template WordPress plugin before version 2.5.8 is vulnerable to PHP object injection because it unserializes the contents of an imported file without sufficient validation. This occurs specifically when handling a Customizer Styling file, and the flaw is present whenever a suitable gadget chain exists elsewhere on the site.
A high-privilege user such as an administrator can trigger the issue, either intentionally or after being tricked into importing a malicious file. Successful exploitation yields high impact on confidentiality, integrity, and availability, consistent with the CVSS 7.2 rating that assumes network-reachable attack vectors and low attack complexity once the file is processed.
WPScan advisories for the vulnerability recommend updating the plugin to version 2.5.8 or later to eliminate the unsafe deserialization behavior. The EPSS score rose from a low baseline to a peak of 0.1415 before receding to the current value of 0.0117, indicating a temporary increase in observed exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-51677
Vulnerability details
The Custom Field Template WordPress plugin before 2.5.8 unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import (intentionally or not) a malicious Customizer Styling file and a suitable…
more
gadget chain is present on the blog.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.