CVE-2022-0888

The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/includes/ajax/controllers/uploads.php file which can be bypassed making it possible for unauthenticated attackers to upload malicious files that can be used to obtain remote code execution, in versions up to and including 3.3.0
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
WordfenceCNA
9.8 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 92%
VendorProductVersion
ninjaformsninja_forms_file_uploads
𝑥
≤ 3.3.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://gist.github.com/Xib3rR4dAr/5f0accbbfdee279c68ed144da9cd8607
https://www.wordfence.com/threat-intel/vulnerabilities/id/f00eeaef-f277-481f-9e18-bf1ced0015a0?source=cve
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-0888
https://gist.github.com/Xib3rR4dAr/5f0accbbfdee279c68ed144da9cd8607
https://www.wordfence.com/threat-intel/vulnerabilities/id/f00eeaef-f277-481f-9e18-bf1ced0015a0?source=cve
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-0888