CVE-2022-2903: 
WordPress vulnerability analysis and mitigation

CVE-2022-2903 affects the Ninja Forms Contact Form WordPress plugin versions before 3.6.13. The vulnerability was discovered and publicly disclosed on September 5, 2022. The issue exists in the plugin's import functionality, where it unserializes the content of imported files without proper validation (WPScan, NVD).

The vulnerability is classified as a PHP Object Injection (CWE-502) with a CVSS v3.1 base score of 7.2 (HIGH). The issue occurs when the plugin processes imported files through the Import/Export > Favourite Fields functionality without proper sanitization of the unserialized content. This vulnerability specifically affects the path '/wp-admin/admin.php?page=nf-import-export&tab=favorite_fields' and requires administrator privileges to exploit (WPScan).

When exploited, this vulnerability could lead to PHP object injection issues if a suitable gadget chain is present on the blog. This occurs when an administrator imports a malicious file, either intentionally or unintentionally. The impact severity is rated as HIGH due to the potential for code execution through object injection (WPScan).

The vulnerability has been patched in version 3.6.13 of the Ninja Forms plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).