QwikSec

Security Database

CVE

CWE

Training

CVE-2022-2434

Published: Sep 6, 2022

Modified: Apr 8, 2026

PUBLISHED

CVSS v3.1

8.8

HIGH

Description

The String Locator plugin for WordPress is vulnerable to deserialization of untrusted input via the 'string-locator-path' parameter in versions up to, and including 2.5.0. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site administrator into performing an action such as clicking on a link, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.

Vendor	Product	Versions
instawp	String locator	affected `0 - <= 2.5.0`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/10a36e37-4188-403f-9b17-d7e79b8b8a6d?source=cve

https://plugins.trac.wordpress.org/browser/string-locator/trunk/editor.php#L59

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2759486%40string-locator&new=2759486%40string-locator&sfp_email=&sfph_mail=

https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2434

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.