CVE-2022-0440: 
WordPress vulnerability analysis and mitigation

The Catch Themes Demo Import WordPress plugin (versions before 2.1.1) contains a vulnerability identified as CVE-2022-0440. This security flaw was discovered and publicly disclosed on February 7, 2022. The vulnerability affects the file import functionality of the plugin and impacts WordPress installations using vulnerable versions of the Catch Themes Demo Import plugin (WPScan).

The vulnerability stems from improper validation of files during the import process. The plugin fails to properly validate one of the files to be imported, which could allow privileged administrators to upload arbitrary PHP files. This vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The severity is rated as HIGH with a CVSS v3.1 base score of 7.2 (Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) (NVD).

If exploited, this vulnerability allows high-privilege administrators to achieve Remote Code Execution (RCE) on the affected WordPress installation. Notably, this exploitation is possible even in hardened WordPress environments where security constants such as DISALLOWUNFILTEREDHTML, DISALLOWFILEEDIT, and DISALLOWFILEMODS are set to true (WPScan).

The vulnerability has been patched in version 2.1.1 of the Catch Themes Demo Import plugin. Users are strongly advised to update to this version or later to mitigate the security risk (WPScan).