cbcvebase.
CVE-2022-4060
published 2023-01-16

CVE-2022-4060: The User Post Gallery WordPress plugin through 2.19 does not limit what callback functions can be called by users, making it possible to any visitors to run…

PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
42.72%
98.5th percentile
The User Post Gallery WordPress plugin through 2.19 does not limit what callback functions can be called by users, making it possible to any visitors to run code on sites running it.

Affected

1 ranges
VendorProductVersion rangeFixed in
odudeuser_post_gallery<= 2.19

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php?action=upg_datatable&field=field:exec:head+-1+/etc/passwd:NULL:NULL
commandaction=upg_datatable&field=field:exec:head+-1+/etc/passwd:NULL:NULL
  • Look for unauthenticated GET requests to /wp-admin/admin-ajax.php with the 'action=upg_datatable' parameter — this is the vulnerable AJAX endpoint exposed by the wp-upg plugin.
  • The 'field' parameter accepts colon-delimited callback specifications (e.g., field:exec:<OS_COMMAND>:NULL:NULL). Alert on any 'field' value containing 'exec' or other PHP callback names in requests to upg_datatable.
  • A successful exploitation response will be JSON (Content-Type: application/json) containing 'recordsFiltered' in the body along with command output such as /etc/passwd content matching root:.*:0:0:
  • The plugin does not restrict which callback functions users can invoke — any visitor (unauthenticated) can trigger arbitrary PHP callbacks via the upg_datatable AJAX action.
  • ·Vulnerability affects User Post Gallery (wp-upg) plugin versions up to and including 2.19; version 2.20 and above are patched.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.