CVE-2022-3921
Listingo < 3.2.7 - Unauthenticated Arbitrary File Upload
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The Listingo WordPress theme before 3.2.7 does not validate files to be uploaded via an AJAX action available to unauthenticated users, which could allow them to upload arbitrary files and lead to RCE
El tema de WordPress Listingo anterior a 3.2.7 no valida los archivos que se cargarán mediante una acción AJAX disponible para usuarios no autenticados, lo que podría permitirles cargar archivos arbitrarios y conducir a RCE.
The Listingo theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via one of its AJAX actions in versions up to, and including, 3.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-11-10 CVE Reserved
- 2022-11-21 CVE Published
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-434: Unrestricted Upload of File with Dangerous Type
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://wpscan.com/vulnerability/e39b59b0-f24f-4de5-a21c-c4de34c3a14f | 2024-08-03 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Themographics Search vendor "Themographics" | Listingo Search vendor "Themographics" for product "Listingo" | < 3.2.7 Search vendor "Themographics" for product "Listingo" and version " < 3.2.7" | wordpress |
Affected
| ||||||