CVE-2022-3366: 
NixOS vulnerability analysis and mitigation

The PublishPress Capabilities WordPress plugin before version 2.5.2 and PublishPress Capabilities Pro WordPress plugin before version 2.5.2 contain a vulnerability related to unserialization of imported files. This vulnerability was discovered in October 2022 and affects WordPress installations using these plugin versions (WPScan).

The vulnerability is classified as a PHP Object Injection vulnerability (CWE-502) that occurs when the plugin unserializes the content of imported files without proper validation. The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility with low attack complexity, but requiring high privileges (NVD).

If successfully exploited, this vulnerability could lead to PHP object injection attacks by administrators on multisite WordPress configurations. The impact is particularly severe when other plugins with suitable gadget chains are present on the site, potentially allowing for arbitrary code execution (WPScan).

The vulnerability has been fixed in version 2.5.2 of both PublishPress Capabilities and PublishPress Capabilities Pro plugins. Users are advised to update to these versions or later to mitigate the risk (WPScan).