id: CVE-2022-1392 info: name: WordPress Videos sync PDF <=1.7.4 - Local File Inclusion author: Veshraj severity: high description: WordPress Videos sync PDF 1.7.4 and prior does not validate the p parameter before using it in an include statement, which could lead to local file inclusion. remediation: | Upgrade to the latest version of WordPress Videos sync PDF plugin (>=1.7.5) or apply the vendor-provided patch to mitigate the vulnerability. reference: - https://wpscan.com/vulnerability/fe3da8c1-ae21-4b70-b3f5-a7d014aa3815 - https://packetstormsecurity.com/files/166534/ - https://nvd.nist.gov/vuln/detail/CVE-2022-1392 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2022-1392 cwe-id: CWE-22 epss-score: 0.01296 epss-percentile: 0.84376 cpe: cpe:2.3:a:commoninja:videos_sync_pdf:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 1 vendor: commoninja product: videos_sync_pdf framework: wordpress tags: lfi,wp-plugin,unauth,wpscan,cve,cve2022,packetstorm,wp,wordpress http: - method: GET path: - "{{BaseURL}}/wp-content/plugins/video-synchro-pdf/reglages/Menu_Plugins/tout.php?p=tout" matchers-condition: and matchers: - type: word part: body words: - "failed to open stream: No such file or directory" - "REPERTOIRE_VIDEOSYNCPDFreglages/Menu_Plugins/tout.php" condition: and - type: status status: - 200 # digest: 4a0a0047304502205b7a0fa367a5ce8099a86f52c57cfbe043e3a27274272092a4d1d6eae4da6e480221008be0a379fa3acd3e395c1533e40661de1e24f8e20caaca76aecbd1990498e9d9:922c64590222798bb761d5b6d8e72950