cve-2022-0537
Vulnerability from cvelistv5
Published
2022-04-04 15:35
Modified
2024-08-02 23:32
Severity ?
Summary
The MapPress Maps for WordPress plugin before 2.73.13 allows a high privileged user to bypass the DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS settings and upload arbitrary files to the site through the "ajax_save" function. The file is written relative to the current 's stylesheet directory, and a .php file extension is added. No validation is performed on the content of the file, triggering an RCE vulnerability by uploading a web shell. Further the name parameter is not sanitized, allowing the payload to be uploaded to any directory to which the server has write access.
References
contact@wpscan.comhttps://wpscan.com/vulnerability/abfbba70-5158-4990-98e5-f302361db367Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://wpscan.com/vulnerability/abfbba70-5158-4990-98e5-f302361db367Exploit, Third Party Advisory
Impacted products
Vendor Product Version
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:32:46.208Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://wpscan.com/vulnerability/abfbba70-5158-4990-98e5-f302361db367"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "MapPress Maps for WordPress",
          "vendor": "Unknown",
          "versions": [
            {
              "lessThan": "2.73.13",
              "status": "affected",
              "version": "2.73.13",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "qerogram"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The MapPress Maps for WordPress plugin before 2.73.13 allows a high privileged user to bypass the DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS settings and upload arbitrary files to the site through the \"ajax_save\" function. The file is written relative to the current \u0027s stylesheet directory, and a .php file extension is added. No validation is performed on the content of the file, triggering an RCE vulnerability by uploading a web shell. Further the name parameter is not sanitized, allowing the payload to be uploaded to any directory to which the server has write access."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-04-04T15:35:46",
        "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "shortName": "WPScan"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://wpscan.com/vulnerability/abfbba70-5158-4990-98e5-f302361db367"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "MapPress Maps for WordPress \u003c 2.73.13 - Admin+ File Upload to Remote Code Execution",
      "x_generator": "WPScan CVE Generator",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "contact@wpscan.com",
          "ID": "CVE-2022-0537",
          "STATE": "PUBLIC",
          "TITLE": "MapPress Maps for WordPress \u003c 2.73.13 - Admin+ File Upload to Remote Code Execution"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "MapPress Maps for WordPress",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "2.73.13",
                            "version_value": "2.73.13"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Unknown"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "qerogram"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The MapPress Maps for WordPress plugin before 2.73.13 allows a high privileged user to bypass the DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS settings and upload arbitrary files to the site through the \"ajax_save\" function. The file is written relative to the current \u0027s stylesheet directory, and a .php file extension is added. No validation is performed on the content of the file, triggering an RCE vulnerability by uploading a web shell. Further the name parameter is not sanitized, allowing the payload to be uploaded to any directory to which the server has write access."
            }
          ]
        },
        "generator": "WPScan CVE Generator",
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-434 Unrestricted Upload of File with Dangerous Type"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wpscan.com/vulnerability/abfbba70-5158-4990-98e5-f302361db367",
              "refsource": "MISC",
              "url": "https://wpscan.com/vulnerability/abfbba70-5158-4990-98e5-f302361db367"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
    "assignerShortName": "WPScan",
    "cveId": "CVE-2022-0537",
    "datePublished": "2022-04-04T15:35:46",
    "dateReserved": "2022-02-08T00:00:00",
    "dateUpdated": "2024-08-02T23:32:46.208Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mappresspro:mappress:*:*:*:*:*:wordpress:*:*\", \"versionEndExcluding\": \"2.73.13\", \"matchCriteriaId\": \"0DDE48BD-889C-4141-AAAA-E35BBEC25DC1\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The MapPress Maps for WordPress plugin before 2.73.13 allows a high privileged user to bypass the DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS settings and upload arbitrary files to the site through the \\\"ajax_save\\\" function. The file is written relative to the current \u0027s stylesheet directory, and a .php file extension is added. No validation is performed on the content of the file, triggering an RCE vulnerability by uploading a web shell. Further the name parameter is not sanitized, allowing the payload to be uploaded to any directory to which the server has write access.\"}, {\"lang\": \"es\", \"value\": \"El plugin MapPress Maps para WordPress versiones anteriores a 2.73.13, permite a un usuario con altos privilegios omitir las configuraciones DISALLOW_FILE_EDIT y DISALLOW_FILE_MODS y subir archivos arbitrarios al sitio mediante la funci\\u00f3n \\\"ajax_save\\\". El archivo es escrito en relaci\\u00f3n con el directorio de la hoja de estilo actual, y es a\\u00f1adida una extensi\\u00f3n de archivo .php. No es llevada a cabo ninguna comprobaci\\u00f3n del contenido del archivo, desencadenando una vulnerabilidad de tipo RCE al subir un shell web. Adem\\u00e1s, el par\\u00e1metro de nombre no est\\u00e1 saneado, permitiendo que la carga \\u00fatil sea cargada en cualquier directorio al que el servidor tenga acceso de escritura\"}]",
      "id": "CVE-2022-0537",
      "lastModified": "2024-11-21T06:38:52.007",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.2, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.2, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\", \"baseScore\": 6.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2022-04-04T16:15:09.363",
      "references": "[{\"url\": \"https://wpscan.com/vulnerability/abfbba70-5158-4990-98e5-f302361db367\", \"source\": \"contact@wpscan.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://wpscan.com/vulnerability/abfbba70-5158-4990-98e5-f302361db367\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "contact@wpscan.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"contact@wpscan.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-434\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-0537\",\"sourceIdentifier\":\"contact@wpscan.com\",\"published\":\"2022-04-04T16:15:09.363\",\"lastModified\":\"2024-11-21T06:38:52.007\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The MapPress Maps for WordPress plugin before 2.73.13 allows a high privileged user to bypass the DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS settings and upload arbitrary files to the site through the \\\"ajax_save\\\" function. The file is written relative to the current \u0027s stylesheet directory, and a .php file extension is added. No validation is performed on the content of the file, triggering an RCE vulnerability by uploading a web shell. Further the name parameter is not sanitized, allowing the payload to be uploaded to any directory to which the server has write access.\"},{\"lang\":\"es\",\"value\":\"El plugin MapPress Maps para WordPress versiones anteriores a 2.73.13, permite a un usuario con altos privilegios omitir las configuraciones DISALLOW_FILE_EDIT y DISALLOW_FILE_MODS y subir archivos arbitrarios al sitio mediante la funci\u00f3n \\\"ajax_save\\\". El archivo es escrito en relaci\u00f3n con el directorio de la hoja de estilo actual, y es a\u00f1adida una extensi\u00f3n de archivo .php. No es llevada a cabo ninguna comprobaci\u00f3n del contenido del archivo, desencadenando una vulnerabilidad de tipo RCE al subir un shell web. Adem\u00e1s, el par\u00e1metro de nombre no est\u00e1 saneado, permitiendo que la carga \u00fatil sea cargada en cualquier directorio al que el servidor tenga acceso de escritura\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\"baseScore\":6.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"contact@wpscan.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-434\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mappresspro:mappress:*:*:*:*:*:wordpress:*:*\",\"versionEndExcluding\":\"2.73.13\",\"matchCriteriaId\":\"0DDE48BD-889C-4141-AAAA-E35BBEC25DC1\"}]}]}],\"references\":[{\"url\":\"https://wpscan.com/vulnerability/abfbba70-5158-4990-98e5-f302361db367\",\"source\":\"contact@wpscan.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://wpscan.com/vulnerability/abfbba70-5158-4990-98e5-f302361db367\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.