cbcvebase.
CVE-2022-46020
published 2022-12-20

CVE-2022-46020: WBCE CMS v1.5.4 can implement getshell by modifying the upload file type.

PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
38.95%
98.4th percentile
WBCE CMS v1.5.4 can implement getshell by modifying the upload file type.

Affected

1 ranges
VendorProductVersion rangeFixed in
wbcewbce_cms

Detection & IOCsextracted from sources · hover to see the quote

url/admin/settings/index.php?advanced=yes
url/admin/settings/save.php
url/modules/elfinder/ef/php/connector.wbce.php
path/modules/elfinder/ef/php/connector.wbce.php
path/media/
otherrename_files_on_upload=
  • Exploit uploads a .php webshell via the elFinder connector endpoint at /modules/elfinder/ef/php/connector.wbce.php using cmd=upload and target=l1_Lw, bypassing file type restrictions.
  • The exploit sets 'rename_files_on_upload' to empty string in admin settings (POST /admin/settings/save.php) to disable file renaming, enabling direct .php shell upload.
  • Uploaded webshell is placed under /media/ directory with a .php extension; successful RCE is confirmed by the presence of the string '751a8ba516522786d551075a092a7a84' in the HTTP response body.
  • Multipart upload to elFinder uses Content-Type: application/x-php for the malicious file part, indicating content-type spoofing to bypass upload filters.
  • The elFinder upload target parameter is set to 'l1_Lw' (base64 for 'l1_/'), targeting the root media directory for shell placement.
  • Attack requires authentication; the exploit first logs in via POST /admin/login/index.php with dynamic username/password field names extracted from the login page.
  • ·The exploit is authenticated (requires valid admin credentials); the username and password field names are dynamically extracted from the login page HTML before submission.
  • ·CVSS score is 9.8 Critical (AV:N/AC:L/PR:N/UI:N) per NVD, but the Nuclei template tags it as 'authenticated', indicating the NVD PR:N rating may not reflect the actual authentication requirement observed in exploitation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.