CVE-2022-3374

CWE-502Deserialization of Untrusted Data3 documents3 sources
Severity
7.2HIGH
EPSS
0.9%
top 24.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Ocean ExtraOceanwp Ocean Extra
Timeline
PublishedOct 31

Description

The Ocean Extra WordPress plugin before 2.0.5 unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import (intentionally or not) a malicious Customizer Styling file and a suitable gadget chain is present on the blog.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

CVEListV5unknown/ocean_extra2.0.52.0.5
NVDoceanwp/ocean_extra< 2.0.5

🔴Vulnerability Details

2
CVEList
Ocean Extra < 2.0.5 - Admin+ PHP Objection Injection2022-10-31
GHSA
GHSA-2xq6-mr97-65fj: The Ocean Extra WordPress plugin before 22022-10-31
CVE-2022-3374 (HIGH CVSS 7.2) | The Ocean Extra WordPress plugin be | cvebase.io