CVE-2022-2434

Name of the Vulnerable Software and Affected Versions String Locator plugin for WordPress versions up to, and including 2.5.0

Description The issue allows deserialization of untrusted input via the string-locator-path parameter. This enables unauthenticated users to call files using a PHAR wrapper if they can trick a site administrator into performing a specific action, such as clicking on a link, which deserializes and calls arbitrary PHP Objects. This can lead to various malicious actions if a POP chain is also present, and the attacker successfully uploads a file with the serialized payload.

Recommendations For String Locator plugin for WordPress versions up to, and including 2.5.0, update to a version higher than 2.5.0 to resolve the issue. As a temporary workaround, consider restricting access to the string-locator-path parameter to minimize the risk of exploitation. Avoid using the string-locator-path parameter in the affected plugin until the issue is resolved.