CVE-2022-3989

2022-12-1218:15:12

[email protected]

web.nvd.nist.gov

motors wordpress plugin

file validation

ajax action

brute-force attack

cve-2022-3989

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

43.1%

JSON

The Motors WordPress plugin before 1.4.4 does not properly validate uploaded files for dangerous file types (such as .php) in an AJAX action, allowing an attacker to sign up on a victim’s WordPress instance, upload a malicious PHP file and attempt to launch a brute-force attack to discover the uploaded payload.

Affected configurations

Nvd

Node

stylemixthemesmotors_-_car_dealer\,_classifieds_\&_listingRange<1.4.4wordpress

VendorProductVersionCPE
stylemixthemesmotors_-_car_dealer\,_classifieds_\&_listing*cpe:2.3:a:stylemixthemes:motors_-_car_dealer\,_classifieds_\&_listing:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
stylemixthemes	motors_-_car_dealer\,_classifieds_\&_listing	*	cpe:2.3:a:stylemixthemes:motors_-_car_dealer\,_classifieds_\&_listing::::::wordpress::*