CVE-2022-4932

Name of the Vulnerable Software and Affected Versions Total Upkeep plugin for WordPress versions up to, and including 1.14.13

Description The issue is related to information disclosure due to missing authorization on the heartbeat received() function, which triggers on WordPress heartbeat. This allows authenticated attackers with subscriber-level permissions and above to retrieve back-up paths, potentially leading to the download of backups.

Recommendations For versions up to, and including 1.14.13, update to a version higher than 1.14.13 to resolve the issue. As a temporary workaround, consider restricting access to the heartbeat received() function to minimize the risk of exploitation.