CVE-2022-4606
Published: 18 December 2022
Summary
CVE-2022-4606 is a critical-severity PHP Remote File Inclusion (CWE-98) vulnerability in Flatpress Flatpress. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 6.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-4606 is a PHP remote file inclusion vulnerability, assigned CWE-98, that affects the FlatPress blogging platform in the flatpressblog/flatpress GitHub repository for all versions prior to 1.3. The flaw received a CVSS 3.1 score of 9.8, reflecting network-accessible attack vectors that require no authentication or user interaction and can result in full confidentiality, integrity, and availability impacts.
An unauthenticated attacker can supply a crafted remote URL that the application includes and executes, allowing arbitrary PHP code execution on the server and complete system compromise. The vulnerability can be reached directly over the network without any prior access or privileges.
Public references point to a specific commit that resolves the issue and to a coordinated disclosure on huntr.dev; administrators are therefore advised to upgrade to FlatPress 1.3 or later, or to apply the referenced patch.
The associated EPSS score rose from a low baseline to a peak of 0.1980 before settling at the current value of 0.1201, indicating that exploitation interest increased after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-51938
Vulnerability details
PHP Remote File Inclusion in GitHub repository flatpressblog/flatpress prior to 1.3.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.