WordPress Plugin Vulnerabilities

AdSanity < 1.8.2 - Contributor Arbitrary File Upload

Description

The plugin does not have authorisation check in its adsanity_html5_upload, relying on a CSRF check for it. However, the nonce is available to any authenticated with a role as low contributor, allowing them to call it. Furthermore, due to the lack of validation of the upload file, it could allow them to upload arbitrary PHP and HTML files, leading to RCE and XSS.

Note: v1.8.2 does not allow contributor to perform such attack anymore, however Author+ can still do it.

Affects Plugins

Plugin icon
adsanity
Fixed in 1.8.2

References

CVE
CVE-2022-4949
URL
https://blog.nintechnet.com/critical-vulnerability-in-wordpress-adsanity-plugin/

Classification

Type
INCORRECT AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-863
CVSS
9.9 (critical)

Miscellaneous

Original Researcher
Jerome Bruandet
Verified
No
WPVDB ID
aa2413ca-e66e-4906-851d-f31f96208b9d

Timeline

Publicly Published
2022-01-25 (about 4 years ago)
Added
2022-01-25 (about 4 years ago)
Last Updated
2023-06-08 (about 2 years ago)

Other

Published
Title
Published
2024-03-12
Title
Awesome Support < 6.1.7 - Insufficient Authorization via wpas_can_delete_attachments()
Published
2025-07-30
Title
HT Mega – Absolute Addons For Elementor < 2.9.2 - Improper Authorization to Authenticated (Contributor+) Limited Administrator Actions
Published
2023-11-21
Title
Abandoned Cart Lite for WooCommerce < 5.16.1 - Improper Authorization via wcal_delete_expired_used_coupon_code
Published
2023-11-16
Title
Jetpack < 12.7 - Improper Authorization via WPCom External Media REST endpoints
Published
2025-07-01
Title
Soumettre.fr <= 2.1.5 - Unauthenticated Soumettre Posts Creation/Modification/Deletion