Cyber Resilience

CVE-2022-4774

CriticalPublic PoC

Published: 15 May 2023

Published
15 May 2023
Modified
24 January 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0648 91.3th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-4774 is a critical-severity an unspecified weakness vulnerability in Bitapps Bit Form. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 8.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Bit Form WordPress plugin before version 1.9 contains an unrestricted file upload vulnerability. The component fails to validate file types submitted through its file upload form field, permitting arbitrary extensions such as PHP or HTML to be stored on the server and subsequently executed.

Unauthenticated attackers can exploit the flaw over the network by submitting malicious files via the form. Successful exploitation grants remote code execution with the ability to read, modify, or delete data and fully compromise the affected WordPress site, consistent with the CVSS 9.8 rating that reflects no required authentication or user interaction.

The referenced WPScan advisory identifies the issue in versions prior to 1.9 and indicates that updating the plugin to version 1.9 or later removes the missing file-type validation. No other mitigation details such as workarounds are provided in the available references.

EPSS scores reached a peak of 0.0811 before settling at the current value of 0.0648, indicating modest post-disclosure interest without evidence of widespread exploitation.

EU & UK References

Vulnerability details

The Bit Form WordPress plugin before 1.9 does not validate the file types uploaded via it's file upload form field, allowing unauthenticated users to upload arbitrary files types such as PHP or HTML files to the server, leading to Remote…

more

Code Execution.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

bitapps
bit form
≤ 1.9

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References