CVE-2022-2046

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-2046
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-2046.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-2046
Published
2022-08-08T14:15:08.637Z
Modified
2026-04-10T04:43:10.520797Z
Severity
  • 4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

The Directorist WordPress plugin before 7.2.3 allows administrators to download other plugins from the same vendor directly to the site, but does not check the URL domain it gets the zip files from. This could allow administrators to run code on the server, which is a problem in multisite configurations.

References

Affected packages

Git / github.com/sovware/directorist

Affected ranges

Type
GIT
Repo
https://github.com/sovware/directorist
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
53439e8fa9459d0b6eeaad7faa68812c2ed58e67
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "7.2.3"
        }
    ]
}

Affected versions

released-v7.*
released-v7.0.4
v7.*
v7.0
v7.0.3.2
v7.0.3.3
v7.0.4.1
v7.0.5
v7.0.5.1
v7.0.5.2
v7.0.5.3
v7.0.5.4
v7.0.5.6
v7.0.6
v7.0.6.1
v7.0.6.2
v7.0.6.3
v7.0.7
v7.0.8
v7.1.0
v7.1.1
v7.1.2
v7.2.0
v7.2.1
v7.2.2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-2046.json"