CVE-2022-30820

Vulnerability

In Wedding Management System v1.0 by codeastro.com, an arbitrary file upload vulnerability exists in the picture upload point of the users_edit.php file, located in the admin panel's User Management module. The application fails to properly validate the uploaded file type, allowing an attacker to upload a PHP web shell instead of an image. The vulnerable endpoint is accessible to authenticated admin users at admin/users_edit.php?id=8 [1].

Exploitation

An attacker with valid admin credentials can exploit this flaw by sending a crafted POST request to the users_edit.php endpoint. The request includes a file upload with a .php extension (e.g., shell.php) containing arbitrary PHP code, along with modified user profile fields. No additional privileges or user interaction beyond admin authentication are required [1].

Impact

Successful exploitation permits arbitrary code execution on the underlying web server. The attacker gains the ability to execute commands, read/write files, and potentially compromise the entire application and server, achieving full control at the web server privilege level [1].

Mitigation

As of the publication date (2022-05-31), no official patch has been released for Wedding Management v1.0. Users should restrict access to the admin panel, implement file upload validation (e.g., whitelist allowed extensions and verify MIME types), and consider using a web application firewall (WAF) to block malicious uploads. The application may be end-of-life; migration to a supported solution is advised [1].