CVE-2022-2444

Name of the Vulnerable Software and Affected Versions The Visualizer: Tables and Charts Manager for WordPress versions up to, and including 3.7.9

Description The issue concerns deserialization of untrusted input via the remote data parameter. This allows authenticated attackers with contributor privileges and above to call files using a PHAR wrapper, which can deserialize the data and call arbitrary PHP Objects. These objects can be used to perform various malicious actions if a POP chain is also present. The attack requires the successful upload of a file with a serialized payload.

Recommendations For versions up to, and including 3.7.9, update to a version higher than 3.7.9 to mitigate the risk. As a temporary workaround, consider restricting access to the remote data parameter until a patch is available. Avoid using the remote data parameter in the affected plugin until the issue is resolved.