CVE-2022-0316

high-risk

Published 2023-01-23

The WeStand WordPress theme before 2.1, footysquare WordPress theme, aidreform WordPress theme, statfort WordPress theme, club-theme WordPress theme, kingclub-theme WordPress theme, spikes WordPress theme, spikes-black WordPress theme, soundblast WordPress theme, bolster WordPress theme from ChimpStudio and PixFill does not have any authorisation and upload validation in the lang_upload.php file, allowing any unauthenticated attacker to upload arbitrary files to the web server.

Do I need to act?

38.9% chance of exploitation in next 30 days

EPSS score — higher than 61% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (10)

Aidreform

Bolster

Spikes

Westand

Club-Theme

Footysquare

Kings Club

Soundblast

Spikes-Black

Statfort

Affected Vendors

Chimpgroup Aidreform Project Club-Theme Project Footysquare Project Pixfill Soundblast Project Spikes-Black Project Statfort Project

References (2)

Exploit https://wpscan.com/vulnerability/9ab3d6cf-aad7-41bc-9aae-dc5313f12f7c

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 17/34 · Moderate

Exposure 16/34 · Moderate