CVE-2022-2434 in String Locator Plugin
Summary
by MITRE • 09/06/2022
The String Locator plugin for WordPress is vulnerable to deserialization of untrusted input via the 'string-locator-path' parameter in versions up to, and including 2.5.0. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site administrator into performing an action such as clicking on a link, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/08/2026
The String Locator plugin for WordPress presents a critical security vulnerability classified as CVE-2022-2434, affecting versions up to and including 2.5.0. This vulnerability stems from improper input validation within the plugin's handling of the 'string-locator-path' parameter, creating a dangerous deserialization flaw that can be exploited by unauthenticated attackers. The vulnerability operates through a sophisticated attack vector that combines file upload capabilities with object deserialization techniques, making it particularly dangerous for WordPress installations that utilize this plugin.
The technical flaw manifests when the plugin processes user-supplied input through the 'string-locator-path' parameter without adequate sanitization or validation. This creates an environment where maliciously crafted serialized PHP objects can be passed through the parameter and subsequently deserialized by the application. The vulnerability specifically leverages the PHAR wrapper functionality, which allows attackers to execute arbitrary PHP code when the serialized object is processed. This type of vulnerability aligns with CWE-502, which categorizes deserialization of untrusted data as a critical security weakness, and represents a variant of the broader class of object-oriented programming vulnerabilities that can be exploited through malicious input manipulation.
The operational impact of this vulnerability extends beyond simple code execution, as it enables attackers to perform a wide range of malicious activities when combined with a successful file upload capability and a properly constructed POP (Property Oriented Programming) chain. The attack requires an initial file upload phase where the attacker must successfully place a serialized payload on the target system, followed by a social engineering component that tricks administrators into performing actions that trigger the deserialization process. This attack model follows the typical pattern described in the ATT&CK framework under T1203, which covers exploitation for privilege escalation, and demonstrates how seemingly minor input validation flaws can create significant security risks when combined with other attack vectors.
The security implications of CVE-2022-2434 are particularly severe because it can be exploited by unauthenticated attackers who do not require prior access credentials to the WordPress system. This makes the vulnerability especially dangerous for publicly accessible WordPress installations where the String Locator plugin is installed. The attack chain requires the attacker to first upload a malicious file containing serialized PHP objects, then convince an administrator to perform an action that triggers the deserialization process, typically through clicking on a malicious link or visiting a compromised page. The vulnerability essentially transforms a simple file upload capability into a sophisticated remote code execution vector, making it a significant concern for WordPress administrators and security teams responsible for protecting web applications. Organizations should immediately update to patched versions of the String Locator plugin and implement additional security measures to monitor for suspicious file uploads and user behavior that might indicate exploitation attempts.