CVE-2022-2437
moderate-risk
Published 2022-07-18
The Feed Them Social – for Twitter feed, Youtube and more plugin for WordPress is vulnerable to deserialization of untrusted input via the 'fts_url' parameter in versions up to, and including 2.9.8.5. This makes it possible for unauthenticated attackers to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
Do I need to act?
~
9.1% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: eb20af823cee2790295559999b7627f1a9e73946
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (1)
Feed Them Social
Affected Vendors
References (6)
Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/50bcea94-b12a-4b31-b0c...
Third Party Advisory
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2437
Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/50bcea94-b12a-4b31-b0c...
Third Party Advisory
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2437
47
/ 100
moderate-risk
Severity
32/34 · Critical
Exploitability
10/34 · Low
Exposure
5/34 · Minimal