CVE-2022-3366

CVE-2022-3366: PublishPress Capabilities < 2.5.2 - Admin+ PHP Objection Injection

Vendor Unknown
Product PublishPress Capabilities – User Role Access, Editor Permissions, Admin Menus
Weakness CWE-502 · Unsafe deserialization
Published October 31, 2022
Last update May 6, 2025

CVSS base score

What the vulnerability does

01Description

The PublishPress Capabilities WordPress plugin before 2.5.2, PublishPress Capabilities Pro WordPress plugin before 2.5.2 unserializes the content of imported files, which could lead to PHP object injection attacks by administrators, on multisite WordPress configurations. Successful exploitation in this case requires other plugins with a suitable gadget chain to be present on the site.

Key dates

02Disclosure timeline

October 31, 2022 CVE published
May 6, 2025 Record updated