cbcvebase.
CVE-2022-0656
published 2022-04-25

CVE-2022-0656: The Web To Print Shop : uDraw WordPress plugin before 3.3.3 does not validate the url parameter in its udraw_convert_url_to_base64 AJAX action (available to…

PriorityP277high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
7.74%
93.9th percentile
The Web To Print Shop : uDraw WordPress plugin before 3.3.3 does not validate the url parameter in its udraw_convert_url_to_base64 AJAX action (available to both unauthenticated and authenticated users) before using it in the file_get_contents function and returning its content base64 encoded in the response. As a result, unauthenticated users could read arbitrary files on the web server (such as /etc/passwd, wp-config.php etc)

Affected

1 ranges
VendorProductVersion rangeFixed in
webtoprintweb_to_print_shop< 3.3.33.3.3

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
commandaction=udraw_convert_url_to_base64&url=/etc/passwd
path/wp-content/plugins/udraw
  • Detect unauthenticated POST requests to /wp-admin/admin-ajax.php with action=udraw_convert_url_to_base64 and a url parameter pointing to local file paths (e.g., /etc/passwd, wp-config.php) — indicative of LFI exploitation.
  • The AJAX action udraw_convert_url_to_base64 is available to both unauthenticated and authenticated users; monitor for its invocation with file:// or local path values in the url parameter.
  • Presence of the plugin directory /wp-content/plugins/udraw on a WordPress site indicates potential exposure; verify plugin version is below 3.3.3.
  • HTTP request must include header X-Requested-With: XMLHttpRequest and Content-Type: application/x-www-form-urlencoded for the AJAX action to be processed.
  • ·The vulnerable AJAX action is accessible without authentication; any unauthenticated POST to the endpoint with a local path in the url parameter is sufficient to exploit the vulnerability.
  • ·The vulnerability affects uDraw versions strictly before 3.3.3; version 3.3.3 and later are patched.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.