Login Sign Up

CVE-2022-1777

8.8 HIGH
Authentication Bypass

📋 TL;DR

The Filr WordPress plugin before version 1.2.2.1 lacks proper authorization checks in two AJAX actions, allowing any authenticated user (even subscribers) to upload arbitrary HTML files or delete files. This occurs because the required nonce is leaked on the dashboard, bypassing intended security controls.

💻 Affected Systems

Products:
  • WordPress Filr plugin
Versions: All versions before 1.2.2.1
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with Filr plugin enabled and at least one authenticated user account.

📦 What is this software?

Filr by Filr Project

View all CVEs affecting Filr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could upload malicious HTML files leading to cross-site scripting (XSS) attacks, deface websites, or delete critical files causing service disruption.

🟠

Likely Case

Authenticated users could upload HTML files containing malicious scripts or delete uploaded files, potentially compromising site integrity.

🟢

If Mitigated

With proper authorization controls and nonce protection, only authorized administrators could perform file operations.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is straightforward due to leaked nonce and lack of authorization checks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.2.1

Vendor Advisory: https://wpscan.com/vulnerability/a50dc7f8-a9e6-41fa-a047-ad1c3bc309b4

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Filr plugin and update to version 1.2.2.1 or later. 4. Verify update completes successfully.

🔧 Temporary Workarounds

Disable Filr plugin

all

Temporarily deactivate the vulnerable plugin until patching is possible.

wp plugin deactivate filr

Restrict user roles

all

Limit user accounts to only necessary roles and monitor for suspicious activity.

🧯 If You Can't Patch

  • Disable the Filr plugin immediately to prevent exploitation.
  • Implement web application firewall (WAF) rules to block suspicious file uploads and deletion requests.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins for Filr version. If version is below 1.2.2.1, system is vulnerable.

Check Version:

wp plugin list --name=filr --field=version

Verify Fix Applied:

Confirm Filr plugin version is 1.2.2.1 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads or deletions via AJAX requests to /wp-admin/admin-ajax.php with action parameters related to Filr.
  • Multiple failed authorization attempts or unexpected subscriber-level file operations.

Network Indicators:

  • HTTP POST requests to admin-ajax.php with filr-related actions from non-admin user accounts.

SIEM Query:

source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND (post_data LIKE "%action=filr_%" OR post_data LIKE "%_wpnonce%") AND user_role!="administrator"

📊 Metadata

CVE ID: CVE-2022-1777
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-862
Published: June 13, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-1777, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)