CVE-2022-2184
HIGHCAPTCHA 4WP < 7.1.0 - Remote Code Execution via Admin Template Require Once
Title source: llmDescription
The CAPTCHA 4WP WordPress plugin before 7.1.0 lets user input reach a sensitive require_once call in one of its admin-side templates. This can be abused by attackers, via a Cross-Site Request Forgery attack to run arbitrary code on the server.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/e777784f-5ba0-4966-be27-e0a0cbbfe056
Scores
CVSS v3
8.8
EPSS
0.0049
EPSS Percentile
38.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-22
CWE-352
Status
published
Products (1)
wpwhitesecurity/captcha_4wp
< 7.1.0
Published
Aug 01, 2022
Tracked Since
Feb 18, 2026