Cyber Resilience

CVE-2022-4606

CriticalPublic PoC

Published: 18 December 2022

Published
18 December 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1201 93.9th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-4606 is a critical-severity PHP Remote File Inclusion (CWE-98) vulnerability in Flatpress Flatpress. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 6.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-4606 is a PHP remote file inclusion vulnerability, assigned CWE-98, that affects the FlatPress blogging platform in the flatpressblog/flatpress GitHub repository for all versions prior to 1.3. The flaw received a CVSS 3.1 score of 9.8, reflecting network-accessible attack vectors that require no authentication or user interaction and can result in full confidentiality, integrity, and availability impacts.

An unauthenticated attacker can supply a crafted remote URL that the application includes and executes, allowing arbitrary PHP code execution on the server and complete system compromise. The vulnerability can be reached directly over the network without any prior access or privileges.

Public references point to a specific commit that resolves the issue and to a coordinated disclosure on huntr.dev; administrators are therefore advised to upgrade to FlatPress 1.3 or later, or to apply the referenced patch.

The associated EPSS score rose from a low baseline to a peak of 0.1980 before settling at the current value of 0.1201, indicating that exploitation interest increased after public disclosure.

EU & UK References

Vulnerability details

PHP Remote File Inclusion in GitHub repository flatpressblog/flatpress prior to 1.3.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

flatpress
flatpress
≤ 1.2.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References