CVE-2022-2633
published 2022-09-06CVE-2022-2633: The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file downloads and blind server-side request forgery via the 'dl' parameter found…
PriorityP270high8.2CVSS 3.1
AVNACLPRNUINSUCHILAN
EXPLOIT
EPSS
24.54%
97.6th percentile
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file downloads and blind server-side request forgery via the 'dl' parameter found in the ~/public/video.php file in versions up to, and including 2.6.0. This makes it possible for unauthenticated users to download sensitive files hosted on the affected server and forge requests to the server.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| plugins360 | all-in-one_video_gallery | 2.5.8 – 2.6.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP GET requests to /index.php/video/ containing a 'dl' parameter; the parameter value is base64-encoded and used to trigger SSRF or arbitrary file download. ↗
- →No authentication is required to exploit this vulnerability; flag unauthenticated requests to the video endpoint with a 'dl' parameter as suspicious. ↗
- →Exploitation can be confirmed by an out-of-band callback; look for DNS/HTTP interactions originating from the WordPress server to external hosts after a crafted 'dl' request. ↗
- →The vulnerable code path is in public/video.php at line 227; inspect that file for unpatched versions (<=2.6.0). ↗
- ·The Nuclei template uses a 10-second timeout for the SSRF probe request; detections relying on out-of-band callbacks (Interactsh) may miss slow or filtered responses. ↗
- ·The 'dl' parameter value must be base64-encoded; WAF or detection rules inspecting raw query strings for URLs will not catch the encoded payload without a decode step. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
All-In-One Video Gallery <=2.6.0 - Server-Side Request Forgery
nuclei·CVSS 8.2
CVE-2022-2633 [HIGH] All-In-One Video Gallery <=2.6.0 - Server-Side Request Forgery
All-In-One Video Gallery <=2.6.0 - Server-Side Request Forgery
WordPress All-in-One Video Gallery plugin through 2.6.0 is susceptible to arbitrary file download and server-side request forgery (SSRF) via the 'dl' parameter found in the ~/public/video.php file. An attacker can download sensitive files hosted on the affected server and forge requests to the server.
Template:
id: CVE-2022-2633
info:
name: All-In-One Video Gallery <=2.6.0 - Server-Side Request Forgery
author: theamanrawat
severity: high
description: |
WordPress All-in-One Video Gallery plugin through 2.6.0 is susceptible to arbitrary file download and server-side request forgery (SSRF) via the 'dl' parameter found in the ~/public/video.php file. An attacker can download sensitive files hosted on the affected server and for
https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/trunk/public/video.php#L227https://plugins.trac.wordpress.org/changeset/2768384/all-in-one-video-gallery/trunk/public/video.phphttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2744708%40all-in-one-video-gallery&new=2744708%40all-in-one-video-gallery&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/83b0534e-1b8d-46a8-9698-e7ca73e5ab57?source=cvehttps://www.wordfence.com/vulnerability-advisories/#CVE-2022-2633https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/trunk/public/video.php#L227https://plugins.trac.wordpress.org/changeset/2768384/all-in-one-video-gallery/trunk/public/video.phphttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2744708%40all-in-one-video-gallery&new=2744708%40all-in-one-video-gallery&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/83b0534e-1b8d-46a8-9698-e7ca73e5ab57?source=cvehttps://www.wordfence.com/vulnerability-advisories/#CVE-2022-2633
2022-09-06
Published