CVE-2022-1476
⚪ Do wiadomości
Luka w wtyczce All-in-One WP Migration pozwala na usunięcie dowolnych plików przez użytkowników administracyjnych.
CVSS
6.6
EPSS
35.3%
Exploit
none
Vendor
servmask
Opis źródłowy (NVD)
The All-in-One WP Migration plugin for WordPress is vulnerable to arbitrary file deletion via directory traversal due to insufficient file validation via the ~/lib/model/class-ai1wm-backups.php file, in versions up to, and including, 7.58. This can be exploited by administrative users, and users who have access to the site's secret key.
path-traversal
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 6.6 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 35.3% |
| Opublikowano (NVD) | 2022-05-10 20:15:08 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-08 19:17:49 UTC |
Referencje
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2715609%40all-in-one-wp-migration&new=2715609%40all-in-one-wp-migration&sfp_email=&sfph_mail= (security@wordfence.com) [Patch, Third Party Advisory]
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e58634c3-7fcd-4885-b897-4e6a97fb06ac?source=cve (security@wordfence.com)
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1476 (security@wordfence.com) [Third Party Advisory]