CVE-2022-0656
published 2022-04-25CVE-2022-0656: The Web To Print Shop : uDraw WordPress plugin before 3.3.3 does not validate the url parameter in its udraw_convert_url_to_base64 AJAX action (available to…
PriorityP277high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
7.74%
93.9th percentile
The Web To Print Shop : uDraw WordPress plugin before 3.3.3 does not validate the url parameter in its udraw_convert_url_to_base64 AJAX action (available to both unauthenticated and authenticated users) before using it in the file_get_contents function and returning its content base64 encoded in the response. As a result, unauthenticated users could read arbitrary files on the web server (such as /etc/passwd, wp-config.php etc)
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| webtoprint | web_to_print_shop | < 3.3.3 | 3.3.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to /wp-admin/admin-ajax.php with action=udraw_convert_url_to_base64 and a url parameter pointing to local file paths (e.g., /etc/passwd, wp-config.php) — indicative of LFI exploitation. ↗
- →The AJAX action udraw_convert_url_to_base64 is available to both unauthenticated and authenticated users; monitor for its invocation with file:// or local path values in the url parameter. ↗
- →Presence of the plugin directory /wp-content/plugins/udraw on a WordPress site indicates potential exposure; verify plugin version is below 3.3.3. ↗
- →HTTP request must include header X-Requested-With: XMLHttpRequest and Content-Type: application/x-www-form-urlencoded for the AJAX action to be processed. ↗
- ·The vulnerable AJAX action is accessible without authentication; any unauthenticated POST to the endpoint with a local path in the url parameter is sufficient to exploit the vulnerability. ↗
- ·The vulnerability affects uDraw versions strictly before 3.3.3; version 3.3.3 and later are patched. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-452j-v697-rp7m: The Web To Print Shop : uDraw WordPress plugin before 3
ghsa_unreviewed·2022-04-26
CVE-2022-0656 [HIGH] CWE-552 GHSA-452j-v697-rp7m: The Web To Print Shop : uDraw WordPress plugin before 3
The Web To Print Shop : uDraw WordPress plugin before 3.3.3 does not validate the url parameter in its udraw_convert_url_to_base64 AJAX action (available to both unauthenticated and authenticated users) before using it in the file_get_contents function and returning its content base64 encoded in the response. As a result, unauthenticated users could read arbitrary files on the web server (such as /etc/passwd, wp-config.php etc)
VulnCheck
webtoprint web_to_print_shop\ Files or Directories Accessible to External Parties
vulncheck·2022·CVSS 7.5
CVE-2022-0656 [HIGH] webtoprint web_to_print_shop\ Files or Directories Accessible to External Parties
webtoprint web_to_print_shop\ Files or Directories Accessible to External Parties
The Web To Print Shop : uDraw WordPress plugin before 3.3.3 does not validate the url parameter in its udraw_convert_url_to_base64 AJAX action (available to both unauthenticated and authenticated users) before using it in the file_get_contents function and returning its content base64 encoded in the response. As a result, unauthenticated users could read arbitrary files on the web server (such as /etc/passwd, wp-config.php etc)
Affected: webtoprint web_to_print_shop\
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulner
Suricata
ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2022-22274) M1
suricata·2025-04-02·CVSS 9.8
CVE-2022-22274 [CRITICAL] ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2022-22274) M1
ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2022-22274) M1
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2022-22274) M1"; flow:established,to_server; urilen:>1024; http.uri; content:"/resources/"; startswith; http.protocol; bsize:>8; reference:url,github.com/BishopFox/CVE-2022-22274_CVE-2023-0656; reference:cve,2022-22274; classtype:attempted-dos; sid:2061248; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_02, cve CVE_2022_22274, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Moderate, confidence High, signature_severity Major, tag Exploit, updated_at
Suricata
ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M1
suricata·2025-04-02·CVSS 9.8
CVE-2023-0656 [CRITICAL] ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M1
ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M1
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M1"; flow:established,to_server; urilen:>1024; http.uri; content:"/stats/"; startswith; http.protocol; bsize:>8; reference:url,github.com/BishopFox/CVE-2022-22274_CVE-2023-0656; reference:cve,2023-0656; classtype:attempted-dos; sid:2061253; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_02, cve CVE_2023_0656, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Moderate, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04
Suricata
ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M2
suricata·2025-04-02·CVSS 9.8
CVE-2023-0656 [CRITICAL] ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M2
ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M2
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2023-0656) M2"; flow:established,to_server; urilen:>1024; http.uri; content:"/Security_Services"; startswith; http.protocol; bsize:>8; reference:url,github.com/BishopFox/CVE-2022-22274_CVE-2023-0656; reference:cve,2023-0656; classtype:attempted-dos; sid:2061256; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_02, cve CVE_2023_0656, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2
Suricata
ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2022-22274) M2
suricata·2025-04-02·CVSS 9.8
CVE-2022-22274 [CRITICAL] ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2022-22274) M2
ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2022-22274) M2
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2022-22274) M2"; flow:established,to_server; urilen:>1024; http.uri; content:"/atp/"; startswith; http.protocol; bsize:>8; reference:url,github.com/BishopFox/CVE-2022-22274_CVE-2023-0656; reference:cve,2022-22274; classtype:attempted-dos; sid:2061251; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_02, cve CVE_2022_22274, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_02
Nuclei
uDraw <3.3.3 - Local File Inclusion
nuclei·CVSS 7.5
CVE-2022-0656 [HIGH] uDraw <3.3.3 - Local File Inclusion
uDraw <3.3.3 - Local File Inclusion
uDraw before 3.3.3 does not validate the url parameter in its udraw_convert_url_to_base64 AJAX action (available to both unauthenticated and authenticated users) before using it in the file_get_contents function and returning its content base64 encoded in the response. As a result, unauthenticated users could read arbitrary files on the web server (such as /etc/passwd, wp-config.php etc).
Template:
id: CVE-2022-0656
info:
name: uDraw <3.3.3 - Local File Inclusion
author: akincibor
severity: high
description: uDraw before 3.3.3 does not validate the url parameter in its udraw_convert_url_to_base64 AJAX action (available to both unauthenticated and authenticated users) before using it in the file_get_contents function and returning its content base64 e
2022-04-25
Published
Exploited in the wild