CVE-2022-0537 - OpenCVE

The MapPress Maps for WordPress plugin before 2.73.13 allows a high privileged user to bypass the DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS settings and upload arbitrary files to the site through the "ajax_save" function. The file is written relative to the current 's stylesheet directory, and a .php file extension is added. No validation is performed on the content of the file, triggering an RCE vulnerability by uploading a web shell. Further the name parameter is not sanitized, allowing the payload to be uploaded to any directory to which the server has write access.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mappresspro	Mappress

Configuration 1 [-]

cpe:2.3:a:mappresspro:mappress:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://wpscan.com/vulnerability/abfbba70-5158-4990-98e5-f302361db367

History

No history.

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2022-04-04T15:35:46

Updated: 2024-08-02T23:32:46.208Z

Reserved: 2022-02-08T00:00:00

Link: CVE-2022-0537

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-04-04T16:15:09.363

Modified: 2023-02-09T15:15:41.677

Link: CVE-2022-0537

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "MapPress Maps for WordPress", "vendor": "Unknown", "versions": [{"lessThan": "2.73.13", "status": "affected", "version": "2.73.13", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "qerogram"}], "descriptions": [{"lang": "en", "value": "The MapPress Maps for WordPress plugin before 2.73.13 allows a high privileged user to bypass the DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS settings and upload arbitrary files to the site through the \"ajax_save\" function. The file is written relative to the current 's stylesheet directory, and a .php file extension is added. No validation is performed on the content of the file, triggering an RCE vulnerability by uploading a web shell. Further the name parameter is not sanitized, allowing the payload to be uploaded to any directory to which the server has write access."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-04T15:35:46", "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wpscan.com/vulnerability/abfbba70-5158-4990-98e5-f302361db367"}], "source": {"discovery": "EXTERNAL"}, "title": "MapPress Maps for WordPress < 2.73.13 - Admin+ File Upload to Remote Code Execution", "x_generator": "WPScan CVE Generator", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "contact@wpscan.com", "ID": "CVE-2022-0537", "STATE": "PUBLIC", "TITLE": "MapPress Maps for WordPress < 2.73.13 - Admin+ File Upload to Remote Code Execution"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "MapPress Maps for WordPress", "version": {"version_data": [{"version_affected": "<", "version_name": "2.73.13", "version_value": "2.73.13"}]}}]}, "vendor_name": "Unknown"}]}}, "credit": [{"lang": "eng", "value": "qerogram"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The MapPress Maps for WordPress plugin before 2.73.13 allows a high privileged user to bypass the DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS settings and upload arbitrary files to the site through the \"ajax_save\" function. The file is written relative to the current 's stylesheet directory, and a .php file extension is added. No validation is performed on the content of the file, triggering an RCE vulnerability by uploading a web shell. Further the name parameter is not sanitized, allowing the payload to be uploaded to any directory to which the server has write access."}]}, "generator": "WPScan CVE Generator", "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}]}, "references": {"reference_data": [{"name": "https://wpscan.com/vulnerability/abfbba70-5158-4990-98e5-f302361db367", "refsource": "MISC", "url": "https://wpscan.com/vulnerability/abfbba70-5158-4990-98e5-f302361db367"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:32:46.208Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wpscan.com/vulnerability/abfbba70-5158-4990-98e5-f302361db367"}]}]}, "cveMetadata": {"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2022-0537", "datePublished": "2022-04-04T15:35:46", "dateReserved": "2022-02-08T00:00:00", "dateUpdated": "2024-08-02T23:32:46.208Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mappresspro:mappress:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "0DDE48BD-889C-4141-AAAA-E35BBEC25DC1", "versionEndExcluding": "2.73.13", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The MapPress Maps for WordPress plugin before 2.73.13 allows a high privileged user to bypass the DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS settings and upload arbitrary files to the site through the \"ajax_save\" function. The file is written relative to the current 's stylesheet directory, and a .php file extension is added. No validation is performed on the content of the file, triggering an RCE vulnerability by uploading a web shell. Further the name parameter is not sanitized, allowing the payload to be uploaded to any directory to which the server has write access."}, {"lang": "es", "value": "El plugin MapPress Maps para WordPress versiones anteriores a 2.73.13, permite a un usuario con altos privilegios omitir las configuraciones DISALLOW_FILE_EDIT y DISALLOW_FILE_MODS y subir archivos arbitrarios al sitio mediante la funci\u00f3n \"ajax_save\". El archivo es escrito en relaci\u00f3n con el directorio de la hoja de estilo actual, y es a\u00f1adida una extensi\u00f3n de archivo .php. No es llevada a cabo ninguna comprobaci\u00f3n del contenido del archivo, desencadenando una vulnerabilidad de tipo RCE al subir un shell web. Adem\u00e1s, el par\u00e1metro de nombre no est\u00e1 saneado, permitiendo que la carga \u00fatil sea cargada en cualquier directorio al que el servidor tenga acceso de escritura"}], "id": "CVE-2022-0537", "lastModified": "2023-02-09T15:15:41.677", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-04-04T16:15:09.363", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/abfbba70-5158-4990-98e5-f302361db367"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "contact@wpscan.com", "type": "Primary"}]}