CVE-2022-4060
published 2023-01-16CVE-2022-4060: The User Post Gallery WordPress plugin through 2.19 does not limit what callback functions can be called by users, making it possible to any visitors to run…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
42.72%
98.5th percentile
The User Post Gallery WordPress plugin through 2.19 does not limit what callback functions can be called by users, making it possible to any visitors to run code on sites running it.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| odude | user_post_gallery | <= 2.19 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for unauthenticated GET requests to /wp-admin/admin-ajax.php with the 'action=upg_datatable' parameter — this is the vulnerable AJAX endpoint exposed by the wp-upg plugin. ↗
- →The 'field' parameter accepts colon-delimited callback specifications (e.g., field:exec:<OS_COMMAND>:NULL:NULL). Alert on any 'field' value containing 'exec' or other PHP callback names in requests to upg_datatable. ↗
- →A successful exploitation response will be JSON (Content-Type: application/json) containing 'recordsFiltered' in the body along with command output such as /etc/passwd content matching root:.*:0:0: ↗
- →The plugin does not restrict which callback functions users can invoke — any visitor (unauthenticated) can trigger arbitrary PHP callbacks via the upg_datatable AJAX action. ↗
- ·Vulnerability affects User Post Gallery (wp-upg) plugin versions up to and including 2.19; version 2.20 and above are patched. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g823-9xxv-px4q: The User Post Gallery WordPress plugin through 2
ghsa_unreviewed·2023-01-16
CVE-2022-4060 [CRITICAL] CWE-94 GHSA-g823-9xxv-px4q: The User Post Gallery WordPress plugin through 2
The User Post Gallery WordPress plugin through 2.19 does not limit what callback functions can be called by users, making it possible to any visitors to run code on sites running it.
VulnCheck
User Post Gallery WordPress plugin Callback Functions Vulnerability
vulncheck·2022·CVSS 9.8
CVE-2022-4060 [CRITICAL] User Post Gallery WordPress plugin Callback Functions Vulnerability
User Post Gallery WordPress plugin Callback Functions Vulnerability
The User Post Gallery WordPress plugin through 2.19 does not limit what callback functions can be called by users, making it possible to any visitors to run code on sites running it.
Affected: odude user_post_gallery
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-upg/user-post-gallery-upg-219-missing-authorization-to-remote-command-execution
Exploit PoC: https://vulncheck.com/xdb/4c47bf189e1d
No detection rules found.
Nuclei
WordPress User Post Gallery <=2.19 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2022-4060 [CRITICAL] WordPress User Post Gallery <=2.19 - Remote Code Execution
WordPress User Post Gallery =2.20) to mitigate this vulnerability.
reference:
- https://wpscan.com/vulnerability/8f982ebd-6fc5-452d-8280-42e027d01b1e
- https://wordpress.org/plugins/wp-upg/
- https://nvd.nist.gov/vuln/detail/CVE-2022-4060
- https://github.com/im-hanzou/UPGer
- https://github.com/nomi-sec/PoC-in-GitHub
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-4060
cwe-id: CWE-94
epss-score: 0.8913
epss-percentile: 0.99533
cpe: cpe:2.3:a:odude:user_post_gallery:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
vendor: odude
product: user_post_gallery
framework: wordpress
tags: cve,cve2022,unauth,wpscan,rce,wordpress,wp-plugin,wp,wp-upg,odude,vkev,vuln
http:
- method: GET
path:
- "{{BaseURL}}/wp-admin/admin-ajax
2023-01-16
Published
Exploited in the wild