CVE-2022-2444

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-2444
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-2444.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-2444
Published
2022-07-18T17:15:09.363Z
Modified
2025-11-14T13:02:39.160250Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to deserialization of untrusted input via the 'remote_data' parameter in versions up to, and including 3.7.9. This makes it possible for authenticated attackers with contributor privileges and above to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.

References

Affected packages

Git / github.com/codeinwp/visualizer

Affected ranges

Type
GIT
Repo
https://github.com/codeinwp/visualizer
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
6fa01e7496947364c01ac0a5749e0a674930d9c6

Affected versions

Other

untagged-43bc5985e1f581467953
untagged-a389242c40bc7749f453
untagged-fa4a1433cf1a8da886ac

v1.*

v1.5
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.5.6
v1.6.0
v1.6.5
v1.6.6
v1.7.0
v1.7.1
v1.7.2
v1.7.5
v1.7.6

v2.*

v2.0.0
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.1.7
v2.1.8
v2.1.9
v2.2.0

v3.*

v3.0.0
v3.0.1
v3.0.10
v3.0.11
v3.0.12
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.0.9
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v3.2.0
v3.2.1
v3.3.0
v3.3.1
v3.3.2
v3.3.3
v3.3.4
v3.4.0
v3.4.1
v3.4.10
v3.4.11
v3.4.2
v3.4.3
v3.4.4
v3.4.5
v3.4.6
v3.4.7
v3.4.8
v3.4.9
v3.5.0
v3.5.1
v3.6.0
v3.6.1
v3.7.0
v3.7.1
v3.7.2
v3.7.3
v3.7.4
v3.7.5
v3.7.6
v3.7.7
v3.7.8
v3.7.9