CVE-2022-3762

2022-11-2111:15:21

[email protected]

web.nvd.nist.gov

booster

woocommerce

wordpress

plugin

validation

download

unauthorized access

server files

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

32.8%

JSON

The Booster for WooCommerce WordPress plugin before 5.6.7, Booster Plus for WooCommerce WordPress plugin before 5.6.5, Booster Elite for WooCommerce WordPress plugin before 1.1.7 do not validate files to download in some of its modules, which could allow ShopManager and Admin to download arbitrary files from the server even when they are not supposed to be able to (for example in multisite)

Affected configurations

Nvd

Node

boosterbooster_for_woocommerceRange<1.1.7elitewordpress

boosterbooster_for_woocommerceRange<5.6.5pluswordpress

boosterbooster_for_woocommerceRange<5.6.7wordpress

VendorProductVersionCPE
boosterbooster_for_woocommerce*cpe:2.3:a:booster:booster_for_woocommerce:*:*:*:*:elite:wordpress:*:*
boosterbooster_for_woocommerce*cpe:2.3:a:booster:booster_for_woocommerce:*:*:*:*:plus:wordpress:*:*
boosterbooster_for_woocommerce*cpe:2.3:a:booster:booster_for_woocommerce:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
booster	booster_for_woocommerce	*	cpe:2.3:a:booster:booster_for_woocommerce:::::elite:wordpress::
booster	booster_for_woocommerce	*	cpe:2.3:a:booster:booster_for_woocommerce:::::plus:wordpress::
booster	booster_for_woocommerce	*	cpe:2.3:a:booster:booster_for_woocommerce::::::wordpress::*