CVE-2022-3989 Motors - Car Dealer, Classifieds & Listing < 1.4.4 - Arbitrary File Upload

2022-12-1217:54:58

WPScan

www.cve.org

motors wordpress plugin

arbitrary file upload

cve-2022-3989

security vulnerability

brute-force attack

AI Score

8.9

Confidence

High

EPSS

0.001

Percentile

43.1%

JSON

The Motors WordPress plugin before 1.4.4 does not properly validate uploaded files for dangerous file types (such as .php) in an AJAX action, allowing an attacker to sign up on a victim’s WordPress instance, upload a malicious PHP file and attempt to launch a brute-force attack to discover the uploaded payload.

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "Motors",
    "collectionURL": "https://wordpress.org/plugins",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "1.4.4"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

wpscan.com/vulnerability/1bd20329-f3a5-466d-81b0-e4ff0ca32091