Description

WordPress Plugin String locator is prone to a deserialization vulnerability. Attackers can possibly exploit this issue to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions, granted a POP chain is also present. WordPress Plugin String locator version 2.5.0 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 2.6.0 or latest

References

https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2434

Related Vulnerabilities

WordPress Plugin Content Aware Sidebars-Unlimited Widget Areas Security Bypass (3.8)

WordPress Plugin Facebook Page Feed Timeline Cross-Site Scripting (1.0)

WordPress Plugin Spreadsheet (wpSS) 'ss_id' Parameter SQL Injection (0.61)

WordPress Plugin SAML SP Single Sign On-SSO login Cross-Site Scripting (4.8.72)

WordPress Plugin Easy Gallery Slideshow Cross-Site Scripting (1.1)

Severity

High

Classification

CVE-2022-2434 CWE-502 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update