CVE-2022-2046 — Unrestricted File Upload in Directorist

CWE-434 — Unrestricted File Upload3 documents3 sources

Severity

4.9MEDIUMNVD

EPSS

0.3%

top 47.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wpwax Directorist

Timeline

PublishedAug 8

Latest updateAug 9

Description

The Directorist WordPress plugin before 7.2.3 allows administrators to download other plugins from the same vendor directly to the site, but does not check the URL domain it gets the zip files from. This could allow administrators to run code on the server, which is a problem in multisite configurations.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages1 packages

▶NVDwpwax/directorist< 7.2.3

🔴Vulnerability Details

GHSA

GHSA-gmv3-cpf6-fmj8: The Directorist WordPress plugin before 7↗2022-08-09

▶

CVEList

Directorist - Business Directory Plugin < 7.2.3 - Admin+ Arbitrary File Upload↗2022-08-08

▶