CVE-2022-0499
📋 TL;DR
This vulnerability in the Sermon Browser WordPress plugin allows attackers to trick logged-in administrators into uploading malicious files like PHP scripts via CSRF attacks. It affects WordPress sites using vulnerable versions of the plugin. Attackers can achieve remote code execution if they successfully upload executable files.
💻 Affected Systems
- Sermon Browser WordPress Plugin
📦 What is this software?
Sermon Browser by Sermon Browser Project
⚠️ Risk & Real-World Impact
Worst Case
Full site compromise through remote code execution, allowing attackers to deface websites, steal data, install backdoors, or pivot to other systems.
Likely Case
Attackers upload web shells or malware to gain persistent access, potentially leading to data theft, credential harvesting, or cryptocurrency mining.
If Mitigated
With proper CSRF protection and file validation, the attack fails and administrators are protected from unauthorized file uploads.
🎯 Exploit Status
Exploitation requires social engineering to trick an admin into clicking a malicious link while authenticated. The technical complexity of the exploit itself is low.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.45.23 or later
Vendor Advisory: https://wpscan.com/vulnerability/e9ccf1fc-1dbf-4a41-bf4a-90af20b286d6
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Sermon Browser plugin. 4. Click 'Update Now' if available, or manually update to version 0.45.23+. 5. Verify the plugin is updated to a patched version.
🔧 Temporary Workarounds
Disable Sermon Browser Plugin
allTemporarily disable the vulnerable plugin until patching is possible.
wp plugin deactivate sermon-browser
Implement Web Application Firewall Rules
allBlock requests to sermon file upload endpoints from unauthorized sources.
🧯 If You Can't Patch
- Implement strict file upload validation at the web server level to block PHP and other executable file uploads.
- Use security plugins that add CSRF protection to all WordPress forms and endpoints.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins → Sermon Browser version. If version is 0.45.22 or earlier, the system is vulnerable.Check Version:
wp plugin get sermon-browser --field=versionVerify Fix Applied:
Verify the plugin version is 0.45.23 or later in the WordPress admin plugins page.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to sermon-related endpoints
- PHP or executable files uploaded via POST requests to /wp-admin/admin-ajax.php with action=sermon_browser_upload
Network Indicators:
- POST requests to sermon upload endpoints from unexpected sources
- File uploads with suspicious extensions (.php, .phtml, .exe) to WordPress
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND parameters.action="sermon_browser_upload")