The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/includes/ajax/controllers/uploads.php file which can be bypassed making it possible for unauthenticated attackers to upload malicious files that can be used to obtain remote code execution, in versions up to and including 3.3.0
References
Link | Resource |
---|---|
https://gist.github.com/Xib3rR4dAr/5f0accbbfdee279c68ed144da9cd8607 | Exploit Patch Third Party Advisory |
https://www.wordfence.com/threat-intel/vulnerabilities/id/f00eeaef-f277-481f-9e18-bf1ced0015a0?source=cve | |
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-0888 | Third Party Advisory |
Configurations
History
11 Jan 2024, 09:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
02 May 2022, 19:34
Type | Values Removed | Values Added |
---|---|---|
First Time |
Ninjaforms ninja Forms File Uploads
|
|
CPE | cpe:2.3:a:ninjaforms:ninja_forms_file_uploads:*:*:*:*:*:wordpress:*:* |
29 Mar 2022, 00:39
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-434 | |
CPE | cpe:2.3:a:ninjaforms:ninja_forms:*:*:*:*:*:wordpress:*:* | |
CVSS |
v2 : v3 : |
v2 : 7.5
v3 : 9.8 |
First Time |
Ninjaforms
Ninjaforms ninja Forms |
|
References | (MISC) https://www.wordfence.com/vulnerability-advisories/#CVE-2022-0888 - Third Party Advisory | |
References | (MISC) https://gist.github.com/Xib3rR4dAr/5f0accbbfdee279c68ed144da9cd8607 - Exploit, Patch, Third Party Advisory |
23 Mar 2022, 20:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-03-23 20:15
Updated : 2024-01-11 09:15
NVD link : CVE-2022-0888
Mitre link : CVE-2022-0888
CVE.ORG link : CVE-2022-0888
JSON object : View
Products Affected
ninjaforms
- ninja_forms_file_uploads
CWE
CWE-434
Unrestricted Upload of File with Dangerous Type