CVE-2022-0656
📋 TL;DR
This vulnerability in the uDraw WordPress plugin allows attackers to read arbitrary files on the web server without authentication. By exploiting an unvalidated URL parameter in an AJAX endpoint, attackers can access sensitive files like wp-config.php or system files. All WordPress sites running vulnerable versions of the uDraw plugin are affected.
💻 Affected Systems
- Web To Print Shop : uDraw WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading database credentials from wp-config.php, followed by database takeover and potential lateral movement within the hosting environment.
Likely Case
Database credential theft leading to website defacement, data exfiltration, or installation of backdoors and malware.
If Mitigated
Limited to reading non-sensitive files if proper file permissions and web server configurations restrict access to critical system files.
🎯 Exploit Status
Simple HTTP request to vulnerable AJAX endpoint with crafted URL parameter. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.3
Vendor Advisory: https://wpscan.com/vulnerability/925c4c28-ae94-4684-a365-5f1e34e6c151
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Web To Print Shop : uDraw' plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 3.3.3+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the udraw_convert_url_to_base64 AJAX action
Add to theme's functions.php or custom plugin: remove_action('wp_ajax_udraw_convert_url_to_base64', 'udraw_convert_url_to_base64'); remove_action('wp_ajax_nopriv_udraw_convert_url_to_base64', 'udraw_convert_url_to_base64');
Web Application Firewall rule
allBlock requests containing file path traversal patterns in URL parameters
WAF rule to block: /wp-admin/admin-ajax.php?action=udraw_convert_url_to_base64&url=*
🧯 If You Can't Patch
- Disable the uDraw plugin completely until patched
- Implement strict file permission controls to restrict web server access to sensitive files
🔍 How to Verify
Check if Vulnerable:
Send GET request to /wp-admin/admin-ajax.php?action=udraw_convert_url_to_base64&url=file:///etc/passwd and check if file contents are returned base64 encoded.Check Version:
Check WordPress admin plugins page or use: wp plugin list --name=udraw --field=versionVerify Fix Applied:
After update, same request should return error or empty response instead of file contents.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /wp-admin/admin-ajax.php with action=udraw_convert_url_to_base64 containing file://, ../, or absolute paths in URL parameter
- Unusual file read patterns from web server process
Network Indicators:
- GET requests with URL parameter containing file paths or traversal sequences
- Base64 encoded responses from the vulnerable endpoint
SIEM Query:
source="web_access_logs" AND uri="/wp-admin/admin-ajax.php" AND query="*action=udraw_convert_url_to_base64*" AND (query="*file://*" OR query="*../*" OR query="*/etc/*")