CVE-2022-3342

Name of the Vulnerable Software and Affected Versions Jetpack CRM plugin for WordPress versions up to, and including, 5.3.1

Description The issue concerns PHAR deserialization via the zbscrmcsvimpf parameter in the zeroBSCRM CSVImporterLitehtml app function. Although a nonce check is performed, steps 2 and 3 of this check do not take action upon failure, leading to a file exists check on the zbscrmcsvimpf value. If a phar:// archive is provided, its contents are deserialized, allowing an object to be injected into the execution stream. This enables an unauthenticated attacker to achieve object injection if they can upload a phar archive and trick an administrator into performing a specific action.

Recommendations For Jetpack CRM plugin for WordPress versions up to, and including, 5.3.1: As a temporary workaround, consider disabling the zeroBSCRM CSVImporterLitehtml app function until a patch is available. Restrict access to the zbscrmcsvimpf parameter to minimize the risk of exploitation. Avoid using the zbscrmcsvimpf parameter in the affected function until the issue is resolved.