Lucene search

[email protected]CVE-2022-0888

HistoryMar 23, 2022 - 8:15 p.m.

CVE-2022-0888

2022-03-2320:15:10

CWE-434

[email protected]

web.nvd.nist.gov

ninja forms

file uploads

extension

wordpress

plugin

vulnerability

cve-2022-0888

nvd

remote code execution

security

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

0.013 Low

EPSS

Percentile

85.9%

JSON

The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/includes/ajax/controllers/uploads.php file which can be bypassed making it possible for unauthenticated attackers to upload malicious files that can be used to obtain remote code execution, in versions up to and including 3.3.0

Affected configurations

Vulners

NVD

Node

saturdaydriveninja_forms_-_file_uploadsRange≤3.3.0

CPENameOperatorVersion
ninjaforms:ninja_forms_file_uploadsninjaforms ninja forms file uploadsle3.3.0

CPE	Name	Operator	Version
ninjaforms:ninja_forms_file_uploads	ninjaforms ninja forms file uploads	le	3.3.0

CNA Affected

[
  {
    "vendor": "SaturdayDrive",
    "product": "Ninja Forms - File Uploads",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "3.3.0",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]