CVE-2022-0656

CVE-2022-0656: uDraw < 3.3.3 - Unauthenticated Arbitrary File Access

Vendor Unknown
Product Web To Print Shop : uDraw
Weakness CWE-552 · Files accessible externally
Published April 25, 2022
Last update August 2, 2024

CVSS base score

What the vulnerability does

01Description

The Web To Print Shop : uDraw WordPress plugin before 3.3.3 does not validate the url parameter in its udraw_convert_url_to_base64 AJAX action (available to both unauthenticated and authenticated users) before using it in the file_get_contents function and returning its content base64 encoded in the response. As a result, unauthenticated users could read arbitrary files on the web server (such as /etc/passwd, wp-config.php etc)

Key dates

02Disclosure timeline

April 25, 2022 CVE published
August 2, 2024 Record updated