WordPress Plugin Vulnerabilities

WP Editor < 1.2.9.1 - Authenticated (Admin+) PHAR Deserialization

Description

The WP Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'current_theme_root' parameter in versions up to, and including 1.2.9. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.

Affects Plugins

Plugin icon
wp-editor
Fixed in 1.2.9.1

References

CVE
CVE-2022-2446
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f3555702-4427-4569-8fd6-f84113593e9d

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Rasoul Jahanshahi
Verified
No
WPVDB ID
279b19f4-a8c0-4a52-bc69-ec0e6378b736

Timeline

Publicly Published
2024-09-12 (about 1 year ago)
Added
2024-09-12 (about 1 year ago)
Last Updated
2024-09-13 (about 1 year ago)

Other

Published
Title
Published
2025-08-21
Title
Portfolio Manager Pro 3.8 - Unauthenticated PHP Object Injection
Published
2025-08-30
Title
Finag <= 1.5.0 - Unauthenticated PHP Object Injection
Published
2024-01-03
Title
HTML5 MP3 Player with Playlist Free <= 3.0.0 - Authenticated (Author+) PHP Object Injecton
Published
2022-10-10
Title
Customizer Export/Import < 0.9.5 - Admin+ PHP Objection Injection
Published
2025-02-24
Title
ADFO – Custom data in admin dashboard <= 1.9.1 - Authenticated (Admin+) PHP Object Injection