CVE-2022-3374: 
WordPress vulnerability analysis and mitigation

The Ocean Extra WordPress plugin before version 2.0.5 contains a PHP object injection vulnerability (CVE-2022-3374). The vulnerability was discovered by Nguyen Duy Quoc Khanh and publicly disclosed on October 10, 2022. The issue affects the plugin's file import functionality where it unsafely deserializes content from imported files (WPScan).

The vulnerability stems from the plugin's unsafe deserialization of content from imported files during the Customizer Styling import process. This occurs when processing files through the 'Import Customizer Styling' feature located in Appearance > OceanWP > Customizer. The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility with low attack complexity but requiring high privileges (NVD).

When exploited, this vulnerability could allow an attacker to perform PHP object injection attacks if a suitable gadget chain is present on the target blog. This could potentially lead to arbitrary code execution within the context of the web application (WPScan).

The vulnerability has been fixed in Ocean Extra version 2.0.5. Users are advised to update to this version or later to mitigate the risk. No alternative workarounds have been publicly documented (WPScan).