CVE-2022-3912

User Registration < 2.2.4.1 - Subscriber+ Arbitrary File Upload

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The User Registration WordPress plugin before 2.2.4.1 does not properly restrict the files to be uploaded via an AJAX action available to both unauthenticated and authenticated users, which could allow unauthenticated users to upload PHP files for example.

El complemento User Registration de WordPress anterior a 2.2.4.1 no restringe adecuadamente los archivos que se cargarán mediante una acción AJAX disponible para usuarios autenticados y no autenticados, lo que podría permitir a los usuarios no autenticados cargar archivos PHP, por ejemplo.

The User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the profile_pic_upload function in versions up to, and including, 2.2.4. This makes it possible for authenticated attackers, with subscriber access or higher, to upload arbitrary files on the affected sites server which may make remote code execution possible.

*Credits: cydave

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-11-09 CVE Reserved
2022-11-21 CVE Published
2024-07-04 EPSS Updated
2024-08-03 CVE Updated
2024-08-03 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-434: Unrestricted Upload of File with Dangerous Type

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC
https://wpscan.com/vulnerability/968c677c-1beb-459b-8fd1-7f70bcaa4f74	2024-08-03

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Wpeverest Search vendor "Wpeverest"		User Registration Search vendor "Wpeverest" for product "User Registration"				< 2.2.4.1 Search vendor "Wpeverest" for product "User Registration" and version " < 2.2.4.1"		wordpress		Affected