CVE-2022-3334: 
WordPress vulnerability analysis and mitigation

The Easy WP SMTP WordPress plugin before version 1.5.0 contains a PHP object injection vulnerability identified as CVE-2022-3334. The vulnerability was discovered by Nguyen Duy Quoc Khanh and publicly disclosed on October 10, 2022. The issue affects the plugin's import functionality where it unsafely unserializes the content of imported files (WPScan).

The vulnerability stems from improper deserialization of untrusted data (CWE-502) when handling imported files. The CVSS v3.1 base score is 7.2 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The issue occurs in the Additional Settings tab's Import function, where the plugin fails to properly validate the contents of imported files before unserialization (NVD).

When exploited, this vulnerability could allow an attacker to perform PHP object injection if a suitable gadget chain is present on the blog. This could potentially lead to arbitrary code execution on the affected system when an administrator imports a malicious file, either intentionally or unintentionally (WPScan).

The vulnerability has been fixed in Easy WP SMTP version 1.5.0. Users are strongly advised to update to this version or later to mitigate the risk (WPScan).