CVE-2022-46020
published 2022-12-20CVE-2022-46020: WBCE CMS v1.5.4 can implement getshell by modifying the upload file type.
PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
38.95%
98.4th percentile
WBCE CMS v1.5.4 can implement getshell by modifying the upload file type.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wbce | wbce_cms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit uploads a .php webshell via the elFinder connector endpoint at /modules/elfinder/ef/php/connector.wbce.php using cmd=upload and target=l1_Lw, bypassing file type restrictions. ↗
- →The exploit sets 'rename_files_on_upload' to empty string in admin settings (POST /admin/settings/save.php) to disable file renaming, enabling direct .php shell upload. ↗
- →Uploaded webshell is placed under /media/ directory with a .php extension; successful RCE is confirmed by the presence of the string '751a8ba516522786d551075a092a7a84' in the HTTP response body. ↗
- →Multipart upload to elFinder uses Content-Type: application/x-php for the malicious file part, indicating content-type spoofing to bypass upload filters. ↗
- →The elFinder upload target parameter is set to 'l1_Lw' (base64 for 'l1_/'), targeting the root media directory for shell placement. ↗
- →Attack requires authentication; the exploit first logs in via POST /admin/login/index.php with dynamic username/password field names extracted from the login page. ↗
- ·The exploit is authenticated (requires valid admin credentials); the username and password field names are dynamically extracted from the login page HTML before submission. ↗
- ·CVSS score is 9.8 Critical (AV:N/AC:L/PR:N/UI:N) per NVD, but the Nuclei template tags it as 'authenticated', indicating the NVD PR:N rating may not reflect the actual authentication requirement observed in exploitation. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WBCE CMS v1.5.4 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2022-46020 [CRITICAL] WBCE CMS v1.5.4 - Remote Code Execution
WBCE CMS v1.5.4 - Remote Code Execution
WBCE CMS v1.5.4 can implement getshell by modifying the upload file type.
Template:
id: CVE-2022-46020
info:
name: WBCE CMS v1.5.4 - Remote Code Execution
author: theamanrawat
severity: critical
description: |
WBCE CMS v1.5.4 can implement getshell by modifying the upload file type.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
remediation: |
Upgrade to a patched version of WBCE CMS v1.5.5 or later to mitigate this vulnerability.
reference:
- https://github.com/WBCE/WBCE_CMS
- https://github.com/10vexh/Vulnerability/blob/main/WBCE%20CMS%20v1.5.4%20getshell.pdf
- https://nvd.nist.gov/vuln/detail/CVE-2022-46020
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/U
No writeups or analysis indexed.
2022-12-20
Published