cbcvebase.
CVE-2022-2314
published 2022-08-15

CVE-2022-2314: The VR Calendar WordPress plugin through 2.3.2 lets any user execute arbitrary PHP functions on the site.

PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
12.44%
95.7th percentile
The VR Calendar WordPress plugin through 2.3.2 lets any user execute arbitrary PHP functions on the site.

Affected

1 ranges
VendorProductVersion rangeFixed in
vr_calendar_projectvr_calendar<= 2.3.2

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-post.php?vrc_cmd=phpinfo
path/wp-content/plugins/vr-calendar-sync/
commandvrc_cmd=phpinfo
  • Probe for plugin presence by checking for the string 'vrc-calendar' in the body of /wp-content/plugins/vr-calendar-sync/assets/js/public.js
  • Exploitation confirmed when HTTP 200 response to /wp-admin/admin-post.php?vrc_cmd=phpinfo contains both 'phpinfo' and 'PHP Version' in the response body — indicating unauthenticated arbitrary PHP function execution via the vrc_cmd parameter
  • The attack requires no authentication (PR:N, UI:N); any unauthenticated GET request to admin-post.php with the vrc_cmd parameter can trigger arbitrary PHP function execution
  • ·Vulnerability affects VR Calendar plugin versions up to and including 2.3.2; version 2.3.3 or later is not affected

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.