CVE-2022-1953 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2022-1953?

CVE-2022-1953 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows unauthenticated attackers to delete arbitrary files on WordPress sites running the vulnerable Product Configurator for WooCommerce plugin. Attackers can exploit an AJAX endpoint that passes user-controlled input directly to PHP's unlink() function without proper validation. All WordPress sites using affected plugin versions are at risk.

📋 TL;DR

This vulnerability allows unauthenticated attackers to delete arbitrary files on WordPress sites running the vulnerable Product Configurator for WooCommerce plugin. Attackers can exploit an AJAX endpoint that passes user-controlled input directly to PHP's unlink() function without proper validation. All WordPress sites using affected plugin versions are at risk.

💻 Affected Systems

Products:

Product Configurator for WooCommerce WordPress plugin

Versions: All versions before 1.2.32

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with WooCommerce and the vulnerable plugin installed. No special configuration needed for exploitation.

📦 What is this software?

Product Configurator For Woocommerce by Product Configurator For Woocommerce Project

View all CVEs affecting Product Configurator For Woocommerce →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site compromise through deletion of critical WordPress files (wp-config.php, .htaccess, core files), leading to site defacement, data loss, or complete site takedown.

🟠

Likely Case

Selective file deletion causing site functionality disruption, removal of security files, or deletion of uploaded content.

🟢

If Mitigated

Limited impact if proper file permissions restrict deletion of critical system files, though user-uploaded content remains vulnerable.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request to AJAX endpoint with file path parameter. No authentication required. Public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.32

Vendor Advisory: https://wpscan.com/vulnerability/b66d6682-edbc-435f-a73a-dced32a32770

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Product Configurator for WooCommerce'. 4. Click 'Update Now' if update available. 5. Alternatively, download version 1.2.32+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable AJAX endpoint

all

Add code to functions.php or custom plugin to remove the vulnerable AJAX action hook

add_action('init', function() { remove_action('wp_ajax_nopriv_pcwc_delete_file', 'pcwc_delete_file'); remove_action('wp_ajax_pcwc_delete_file', 'pcwc_delete_file'); });

Restrict file deletion permissions

linux

Set strict file permissions on critical WordPress directories to prevent deletion

chmod 755 wp-content/uploads
chmod 644 wp-config.php
chmod 644 .htaccess

🧯 If You Can't Patch

Temporarily disable the Product Configurator plugin until patching is possible
Implement web application firewall (WAF) rules to block requests containing file path traversal patterns

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is below 1.2.32, system is vulnerable.

Check Version:

wp plugin list --name='Product Configurator for WooCommerce' --field=version

Verify Fix Applied:

Confirm plugin version is 1.2.32 or higher. Test AJAX endpoint with malicious payload to ensure it no longer accepts arbitrary file paths.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /wp-admin/admin-ajax.php with action=pcwc_delete_file parameter
File deletion errors in PHP/WordPress logs
404 errors for suddenly missing files

Network Indicators:

POST requests to admin-ajax.php with file path parameters containing '../' sequences
Unusual file deletion patterns from single IP

SIEM Query:

source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND post_data LIKE "%action=pcwc_delete_file%"

📊 Metadata

CVE ID: CVE-2022-1953

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-22

Published: June 27, 2022

Last Updated: November 21, 2024

🔗 References

https://wpscan.com/vulnerability/b66d6682-edbc-435f-a73a-dced32a32770 Exploit,Third Party Advisory
https://wpscan.com/vulnerability/b66d6682-edbc-435f-a73a-dced32a32770 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-1953, you might also want to check these: