AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2022-4265: The Replyable WordPress plugin before 2.2.10 does not validate the class name submitted by the request when instantiatin

highvulnerability

security

Source: NVD/CVE DatabaseMarch 6, 2023CVE-2022-4265

Summary

The Replyable WordPress plugin before version 2.2.10 has a security flaw where it doesn't check the class names that users submit when creating objects in a specific action, and it also lacks CSRF protection (cross-site request forgery, where an attacker tricks a user into performing actions without their knowledge). This allows authenticated users, even those with basic subscriber permissions, to perform object injection attacks (exploiting how the plugin creates objects to run unintended code).

Solution / Mitigation

Update the Replyable WordPress plugin to version 2.2.10 or later.

Vulnerability Details

CVSS Score

8.8(high)

EPSS (30-day exploit probability)

EPSS: 0.2%

Classification

Attack SophisticationModerate

Taxonomy References

CWE (Weakness Type)

CWE-352

Original source: https://nvd.nist.gov/vuln/detail/CVE-2022-4265

First tracked: February 15, 2026 at 08:52 PM

Classified by LLM (prompt v3) · confidence: 95%