← back
CVE-2022-3982

Booking Calendar < 3.2.2 - Unauthenticated Arbitrary File Upload

CVSS 9.8 CRITICALEPSS 4.5%
Vexday Risk Score
63High priority
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 9.8EPSS 4.5%KEV nãoPoC públicaNuclei simMetasploit Patch
Lifecycle
12 Dec 2022Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
The Booking calendar, Appointment Booking System WordPress plugin before 3.2.2 does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Unknown · Booking calendar, Appointment Booking System
public PoCs found1
cve_referencewpscan.com/vulnerability/4d91f3e1-4de9-46c1-b5ba-cc55b7726867unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://wpscan.com/vulnerability/4d91f3e1-4de9-46c1-b5ba-cc55b7726867