CVE-2022-0440

Name of the Vulnerable Software and Affected Versions The Catch Themes Demo Import WordPress plugin versions prior to 2.1.1

Description The issue allows high privilege admins to upload arbitrary PHP files, potentially leading to remote code execution (RCE), even when the blog is hardened with constants such as DISALLOW UNFILTERED HTML, DISALLOW FILE EDIT, and DISALLOW FILE MODS set to true.

Recommendations For versions prior to 2.1.1, update to version 2.1.1 or later to resolve the issue. As a temporary workaround, consider restricting file upload capabilities to prevent potential exploitation.