Vulnerability Details : CVE-2022-0888
The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/includes/ajax/controllers/uploads.php file which can be bypassed making it possible for unauthenticated attackers to upload malicious files that can be used to obtain remote code execution, in versions up to and including 3.3.0
Vulnerability category: Execute code
Products affected by CVE-2022-0888
- cpe:2.3:a:ninjaforms:ninja_forms_file_uploads:*:*:*:*:*:wordpress:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-0888
1.35%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 86 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-0888
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
Wordfence |
CWE ids for CVE-2022-0888
-
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.Assigned by:
- nvd@nist.gov (Primary)
- security@wordfence.com (Secondary)
References for CVE-2022-0888
-
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-0888
Vulnerability Advisories - WordfenceThird Party Advisory
-
https://www.wordfence.com/threat-intel/vulnerabilities/id/f00eeaef-f277-481f-9e18-bf1ced0015a0?source=cve
Ninja Forms - File Uploads Extension <= 3.3.0 - Arbitrary File Upload
-
https://gist.github.com/Xib3rR4dAr/5f0accbbfdee279c68ed144da9cd8607
WordPress Plugin Ninja Forms - File Uploads Extension >= 3.3.0 - Unauthenticated Arbitrary File Upload ยท GitHubExploit;Patch;Third Party Advisory
Jump to