Vulnerability CVE-2022-0888


Published: 2022-03-23

Description:
The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/includes/ajax/controllers/uploads.php file which can be bypassed making it possible for unauthenticated attackers to upload malicious files that can be used to obtain remote code execution, in versions up to and including 3.3.0

Type:

CWE-434

(Unrestricted Upload of File with Dangerous Type)

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Ninjaforms -> Ninja forms 

 References:
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-0888
https://gist.github.com/Xib3rR4dAr/5f0accbbfdee279c68ed144da9cd8607

Copyright 2024, cxsecurity.com

 

Back to Top