Theme Editor < 2.9 – Authenticated (Admin+) PHAR Deserialization | CVE 2022-2440 | Plugin Vulnerabilities

Description

The Theme Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'images_array' parameter in versions up to, and including 2.8. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.

Affects Plugins

Fixed in 2.9

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/88fe46bf-8e85-4550-92ad-bdd426e5a745

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

Rasoul Jahanshahi

Verified

No

WPVDB ID

d366e078-4573-417b-b4f7-5d1d07949894

Timeline

Publicly Published

2024-08-28 (about 1 year ago)

Added

2024-08-28 (about 1 year ago)

Last Updated

2024-08-29 (about 1 year ago)

Other

Published

Title

Published

2023-01-18

Title

MainWP Code Snippets Extension < 4.0.3 - Subscriber+ PHP Objection Injection

Published

2025-06-23

Title

Sala <= 1.1.3 - Authenticated (Subscriber+) PHP Object Injection

Published

2025-10-21

Title

Ajax Search Lite < 4.13.4 - Authenticated (Administrator+) PHP Object Injection

Published

2017-04-27

Title

Row Seats Core < 2.68 - Unauthenticated PHP Object Injection

Published

2024-03-27

Title

Meta Tag Manager < 3.1 - Subscriber+ PHP Object Injection