Vulnerability Description
The Directorist WordPress plugin before 7.2.3 allows administrators to download other plugins from the same vendor directly to the site, but does not check the URL domain it gets the zip files from. This could allow administrators to run code on the server, which is a problem in multisite configurations.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wpwax | Directorist | < 7.2.3 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/changeset/2752034/directorist?contextall=1&olThird Party Advisory
- https://wpscan.com/vulnerability/03a04eab-be47-4195-af77-0df2a32eb807ExploitThird Party Advisory
- https://plugins.trac.wordpress.org/changeset/2752034/directorist?contextall=1&olThird Party Advisory
- https://wpscan.com/vulnerability/03a04eab-be47-4195-af77-0df2a32eb807ExploitThird Party Advisory
FAQ
What is CVE-2022-2046?
CVE-2022-2046 is a vulnerability with a CVSS score of 4.9 (MEDIUM). The Directorist WordPress plugin before 7.2.3 allows administrators to download other plugins from the same vendor directly to the site, but does not check the URL domain it gets the zip files from. T...
How severe is CVE-2022-2046?
CVE-2022-2046 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-2046?
Check the references section above for vendor advisories and patch information. Affected products include: Wpwax Directorist.