CVE-2022-0537 in MapPress Maps for Plugin
Summary
by MITRE • 04/04/2022
The MapPress Maps for WordPress plugin before 2.73.13 allows a high privileged user to bypass the DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS settings and upload arbitrary files to the site through the "ajax_save" function. The file is written relative to the current 's stylesheet directory, and a .php file extension is added. No validation is performed on the content of the file, triggering an RCE vulnerability by uploading a web shell. Further the name parameter is not sanitized, allowing the payload to be uploaded to any directory to which the server has write access.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/06/2022
The vulnerability identified as CVE-2022-0537 affects the MapPress Maps for WordPress plugin version 2.73.12 and earlier, presenting a critical security risk that enables privilege escalation and remote code execution. This flaw exists within the plugin's ajax_save function which processes file uploads without proper validation mechanisms, creating a pathway for malicious actors to bypass WordPress core security restrictions. The vulnerability specifically targets the DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS constants that are designed to prevent unauthorized modifications to WordPress files, yet the flawed implementation allows authenticated high-privileged users to circumvent these protections through crafted requests.
The technical exploitation of this vulnerability relies on the absence of input sanitization and content validation within the file upload mechanism. When a user submits a file through the ajax_save endpoint, the system accepts the filename parameter without proper sanitization, allowing directory traversal attacks to occur. The system writes files relative to the current stylesheet directory while automatically appending a .php extension, which creates an ideal environment for web shell deployment. The lack of content validation means that any uploaded file content, regardless of its nature, will be executed as PHP code, transforming the vulnerability from a simple file upload issue into a full remote code execution threat.
The operational impact of this vulnerability extends beyond simple privilege escalation, creating a persistent backdoor for attackers who can maintain access to compromised WordPress installations. The vulnerability allows for arbitrary file uploads to directories with server write permissions, enabling attackers to place malicious files anywhere within the web root that has appropriate write access. This capability can be leveraged to establish persistent access, exfiltrate data, or deploy additional malicious payloads. The combination of directory traversal possibilities and automatic PHP extension addition creates a particularly dangerous attack vector that can be exploited by attackers with minimal privileges within the WordPress admin interface.
Security professionals should implement immediate mitigations including updating to the patched version 2.73.13 or later, which addresses the input sanitization issues and removes the bypassable security restrictions. Network monitoring should be enhanced to detect suspicious file upload activities, particularly those targeting the ajax_save endpoint. The vulnerability aligns with CWE-434, which describes insecure file upload vulnerabilities, and maps to ATT&CK technique T1505.003 for web shell deployment. Additionally, the issue demonstrates characteristics of privilege escalation attacks under ATT&CK framework's T1078 which covers valid accounts and T1548.001 for abuse of system privileges. Organizations should also review their WordPress plugin management practices, implement proper file upload restrictions, and conduct regular security audits to identify similar vulnerabilities in other third-party components. The vulnerability serves as a reminder of the critical importance of input validation and proper access controls in web applications, particularly within content management systems where plugins can significantly expand attack surface areas.