CVE-2022-0656: 
WordPress vulnerability analysis and mitigation

The Web To Print Shop: uDraw WordPress plugin (versions before 3.3.3) contains an unauthenticated arbitrary file access vulnerability identified as CVE-2022-0656. The vulnerability was discovered and publicly disclosed on March 29, 2022. The issue affects the plugin's udrawconverturltobase64 AJAX action, which is accessible to both authenticated and unauthenticated users (WPScan).

The vulnerability exists because the plugin fails to validate the 'url' parameter in its udrawconverturltobase64 AJAX action before using it in the filegetcontents function. The response is returned as base64 encoded content. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and no required privileges (NVD).

The vulnerability allows unauthenticated users to read arbitrary files on the web server. Attackers can potentially access sensitive files such as /etc/passwd, wp-config.php, and other critical system files, leading to exposure of sensitive information (WPScan).

The vulnerability has been fixed in version 3.3.3 of the uDraw plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).