1. Home
  2. CVE Database
  3. CVE-2022-0656
HIGH · 7.5

CVE-2022-0656

The Web To Print Shop : uDraw WordPress plugin before 3.3.3 does not validate the url parameter in its udraw_convert_url_to_base64 AJAX action (available to both unauthenticated and authenticated user...

Vulnerability Description

The Web To Print Shop : uDraw WordPress plugin before 3.3.3 does not validate the url parameter in its udraw_convert_url_to_base64 AJAX action (available to both unauthenticated and authenticated users) before using it in the file_get_contents function and returning its content base64 encoded in the response. As a result, unauthenticated users could read arbitrary files on the web server (such as /etc/passwd, wp-config.php etc)

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
NONE

Affected Products

VendorProductVersions
WebtoprintWeb To Print Shop\< 3.3.3, udraw

Related Weaknesses (CWE)

CWE-552

References

FAQ

What is CVE-2022-0656?

CVE-2022-0656 is a vulnerability with a CVSS score of 7.5 (HIGH). The Web To Print Shop : uDraw WordPress plugin before 3.3.3 does not validate the url parameter in its udraw_convert_url_to_base64 AJAX action (available to both unauthenticated and authenticated user...

How severe is CVE-2022-0656?

CVE-2022-0656 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-0656?

Check the references section above for vendor advisories and patch information. Affected products include: Webtoprint Web To Print Shop\.