CVE-2024-7263 CRITICAL

CVE-2024-7263: Arbitrary Code Execution in WPS Office

Vendor Kingsoft
Product WPS Office
Weakness CWE-22 · Path traversal
Published August 15, 2024
Last update August 22, 2024

CVSS base score

9.3/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:N

What the vulnerability does

01Description

Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.17115 (exclusive) on Windows allows an attacker to load an arbitrary Windows library. The patch released in version 12.1.0.17119 to mitigate CVE-2024-7262 was not restrictive enough. Another parameter was not properly sanitized which leads to the execution of an arbitrary Windows library.

Key dates

02Disclosure timeline

August 15, 2024 CVE published
August 22, 2024 Record updated

Related vulnerabilities

04Related CVE