CVE-2022-4395

CRITICAL

Membership For WooCommerce <2.1.7 - Unauthenticated RCE

Title source: llm

Description

The Membership For WooCommerce WordPress plugin before 2.1.7 does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as malicious PHP code, and achieve RCE.

Exploits (2)

exploitdb WORKING POC

by Milad karimi · textwebappsphp

https://www.exploit-db.com/exploits/51959

View Code ZIP pw:eip

nomisec WORKING POC 7 stars

by MrG3P5 · poc

https://github.com/MrG3P5/CVE-2022-4395

View Code ZIP pw:eip

References (3)

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/80407ac4-8ce3-4df7-9c41-007b69045c40

[Exploit, Third Party Advisory] https://packetstormsecurity.com/files/177934/WordPress-Membership-For-WooCommerce-Shell-Upload.html

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/51959

Scores

CVSS v3 9.8

EPSS 0.7628

EPSS Percentile 98.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published

Products (1)

wpswings/membership_for_woocommerce < 2.1.7

Published Jan 30, 2023

Tracked Since Feb 18, 2026