CVE-2022-0537

{"id": "CVE-2022-0537", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2022-04-04T16:15:09.363", "references": [{"url": "https://wpscan.com/vulnerability/abfbba70-5158-4990-98e5-f302361db367", "tags": ["Exploit", "Third Party Advisory"], "source": "contact@wpscan.com"}, {"url": "https://wpscan.com/vulnerability/abfbba70-5158-4990-98e5-f302361db367", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "contact@wpscan.com", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "The MapPress Maps for WordPress plugin before 2.73.13 allows a high privileged user to bypass the DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS settings and upload arbitrary files to the site through the \"ajax_save\" function. The file is written relative to the current 's stylesheet directory, and a .php file extension is added. No validation is performed on the content of the file, triggering an RCE vulnerability by uploading a web shell. Further the name parameter is not sanitized, allowing the payload to be uploaded to any directory to which the server has write access."}, {"lang": "es", "value": "El plugin MapPress Maps para WordPress versiones anteriores a 2.73.13, permite a un usuario con altos privilegios omitir las configuraciones DISALLOW_FILE_EDIT y DISALLOW_FILE_MODS y subir archivos arbitrarios al sitio mediante la funci\u00f3n \"ajax_save\". El archivo es escrito en relaci\u00f3n con el directorio de la hoja de estilo actual, y es a\u00f1adida una extensi\u00f3n de archivo .php. No es llevada a cabo ninguna comprobaci\u00f3n del contenido del archivo, desencadenando una vulnerabilidad de tipo RCE al subir un shell web. Adem\u00e1s, el par\u00e1metro de nombre no est\u00e1 saneado, permitiendo que la carga \u00fatil sea cargada en cualquier directorio al que el servidor tenga acceso de escritura"}], "lastModified": "2024-11-21T06:38:52.007", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mappresspro:mappress:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "0DDE48BD-889C-4141-AAAA-E35BBEC25DC1", "versionEndExcluding": "2.73.13"}], "operator": "OR"}]}], "sourceIdentifier": "contact@wpscan.com"}