CVE-2022-4060

The User Post Gallery WordPress plugin through 2.19 does not limit what callback functions can be called by users, making it possible to any visitors to run code on sites running it.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://wpscan.com/vulnerability/8f982ebd-6fc5-452d-8280-42e027d01b1e	Exploit Third Party Advisory
https://wpscan.com/vulnerability/8f982ebd-6fc5-452d-8280-42e027d01b1e	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:odude:user_post_gallery:*:*:*:*:*:wordpress:*:*

History

21 Nov 2024, 07:34

Type	Values Removed	Values Added
References	~~() https://wpscan.com/vulnerability/8f982ebd-6fc5-452d-8280-42e027d01b1e - Exploit, Third Party Advisory~~	() https://wpscan.com/vulnerability/8f982ebd-6fc5-452d-8280-42e027d01b1e - Exploit, Third Party Advisory
Summary		(es) El complemento User Post Gallery de WordPress hasta la versión 2.19 no limita las funciones de devolución de llamada que pueden invocar los usuarios, lo que permite a cualquier visitante ejecutar código en los sitios que lo ejecutan.

Information

Published : 2023-01-16 16:15

Updated : 2025-04-04 18:15

NVD link : CVE-2022-4060

Mitre link : CVE-2022-4060

CVE.ORG link : CVE-2022-4060

JSON object : View

Products Affected

odude

user_post_gallery

CWE

No CWE.

{"id": "CVE-2022-4060", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2023-01-16T16:15:11.000", "references": [{"url": "https://wpscan.com/vulnerability/8f982ebd-6fc5-452d-8280-42e027d01b1e", "tags": ["Exploit", "Third Party Advisory"], "source": "contact@wpscan.com"}, {"url": "https://wpscan.com/vulnerability/8f982ebd-6fc5-452d-8280-42e027d01b1e", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "descriptions": [{"lang": "en", "value": "The User Post Gallery WordPress plugin through 2.19 does not limit what callback functions can be called by users, making it possible to any visitors to run code on sites running it."}, {"lang": "es", "value": "El complemento User Post Gallery de WordPress hasta la versi\u00f3n 2.19 no limita las funciones de devoluci\u00f3n de llamada que pueden invocar los usuarios, lo que permite a cualquier visitante ejecutar c\u00f3digo en los sitios que lo ejecutan."}], "lastModified": "2025-04-04T18:15:44.157", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:odude:user_post_gallery:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "DCE17690-0E7C-4ED8-B244-F17B444D5D18", "versionEndIncluding": "2.19"}], "operator": "OR"}]}], "sourceIdentifier": "contact@wpscan.com"}