CVE-2022-4949: 
WordPress vulnerability analysis and mitigation

CVE-2022-4949 affects the AdSanity plugin for WordPress in versions up to and including 1.8.1. The vulnerability stems from missing file type validation in the 'ajax_upload' function, which allows authenticated attackers with Contributor+ level privileges to upload arbitrary files to the affected site's server. The issue was discovered on January 13, 2022, and was patched in version 1.8.2 released on January 14, 2022 (NinTechNet Blog).

The vulnerability exists in the 'adsanityhtml5upload' AJAX action that handles the ajax_upload function. While the function implements a security nonce check, it's accessible to any authenticated user with Contributor or higher privileges. The function only verifies that the uploaded file is a ZIP archive and contains an index.html file, without proper file type validation for the contents of the ZIP file. The CVSS v3.1 score for this vulnerability is 8.8 HIGH (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) (NVD).

The vulnerability allows authenticated attackers to upload arbitrary PHP and HTML files, potentially leading to remote code execution (RCE) and cross-site scripting (XSS) attacks. Attackers can override existing .htaccess protections and execute malicious code through the plugin's iframe implementation in the ads management section (NinTechNet Blog).

Users should upgrade to AdSanity version 1.8.2 or later. For sites using NinjaFirewall WP Edition (free) or NinjaFirewall WP+ Edition (premium), only Admin (single site) and Superadmin (multisite) users are allowed to access the upload function. Site administrators should exercise caution if they have Author-level users, as they can still exploit the vulnerability even in the patched version (NinTechNet Blog).