CVE-2022-4395
published 2023-01-30CVE-2022-4395: The Membership For WooCommerce WordPress plugin before 2.1.7 does not validate uploaded files, which could allow unauthenticated users to upload arbitrary…
PriorityP178critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
17.57%
96.8th percentile
The Membership For WooCommerce WordPress plugin before 2.1.7 does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as malicious PHP code, and achieve RCE.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wpswings | membership_for_woocommerce | < 2.1.7 | 2.1.7 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to the WordPress AJAX endpoint with the action parameter 'wps_membership_csv_file_upload', which is the vulnerable file upload handler exploited for RCE. ↗
- →Monitor for PHP file creation or GET requests under the path /wp-content/uploads/mfw-activity-logger/csv-uploads/, as this is the drop location for uploaded webshells. ↗
- →Alert on HTTP GET requests to .php files within /wp-content/uploads/mfw-activity-logger/csv-uploads/ — this indicates webshell access/execution following a successful upload. ↗
- →The exploit checks for the string 'Ex3ptionaL' in the webshell response to confirm successful upload and execution; use this as a webshell beacon string in network/response body inspection. ↗
- →The vulnerability allows unauthenticated users to upload arbitrary files (e.g., malicious PHP) via the plugin's CSV upload feature, leading to RCE — no authentication is required for exploitation. ↗
- ·Vulnerability is only present in Membership For WooCommerce plugin versions before 2.1.7; sites running 2.1.7 or later are not affected. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2023-01-30
Published