CVE-2022-3342: 
WordPress vulnerability analysis and mitigation

The Jetpack CRM plugin for WordPress (versions up to and including 5.3.1) contains a PHAR deserialization vulnerability (CVE-2022-3342). The vulnerability exists in the 'zbscrmcsvimpf' parameter within the 'zeroBSCRMCSVImporterLitehtmlapp' function. While the function performs a nonce check, steps 2 and 3 of the check do not take any action upon a failed check, allowing for potential object injection (Wordfence Advisory).

The vulnerability stems from improper handling of the 'file_exists' check on the 'zbscrmcsvimpf' parameter value. When a phar:// archive is supplied, its contents are deserialized and an object is injected into the execution stream. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) by NVD with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, while Wordfence assigned a score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

A successful exploitation could allow an unauthenticated attacker to achieve object injection if they can upload a phar archive (for instance if the site supports image uploads) and then trick an administrator into performing an action, such as clicking a link. This could potentially lead to remote code execution on the affected system (Wordfence Advisory).

The vulnerability has been patched in versions after 5.3.1. Users are strongly advised to update their Jetpack CRM plugin to the latest version. The fix can be found in the updated code at the WordPress plugin repository (WordPress Patch).