CVE-2022-4328

WooCommerce Checkout Field Manager < 18.0 - Unauthenticated Arbitrary File Upload

Basic Information

CVE State: PUBLISHED
Reserved Date: December 07, 2022
Published Date: March 06, 2023
Last Updated: March 04, 2025
Vendor: Unknown
Product: WooCommerce Checkout Field Manager
Description: The WooCommerce Checkout Field Manager WordPress plugin before 18.0 does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server
Tags

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation: poc
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2025-11-09 00:00:00 UTC) Source

References

https://wpscan.com/vulnerability/4dc72cd2-81d7-4a66-86bd-c9cfaf690eed

Known Exploited Vulnerability Information

Source	Added Date
The Shadowserver (via CIRCL)	2025-11-09 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-4328.yaml	2025-04-25 00:00:00 UTC

Timeline

CVE ID Reserved

December 07, 2022
CVE Published to Public

March 06, 2023
Detected by Nuclei

April 25, 2025
Added to KEVIntel

November 09, 2025