CVE-2022-4265

Name of the Vulnerable Software and Affected Versions Replyable WordPress plugin versions prior to 2.2.10

Description The issue arises from the lack of validation of the class name submitted by the request when instantiating an object in the prompt dismiss notice action, and the absence of a CSRF check in the related action. This could allow any authenticated users, such as subscribers, to perform Object Injection attacks. The attack could also be done via a CSRF vector against any authenticated user.

Recommendations For versions prior to 2.2.10, update to version 2.2.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the prompt dismiss notice action to minimize the risk of exploitation. Additionally, restrict the instantiation of objects based on user-submitted class names until a patch is available.