cbcvebase.
CVE-2022-3982
published 2022-12-12

CVE-2022-3982: The Booking calendar, Appointment Booking System WordPress plugin before 3.2.2 does not validate uploaded files, which could allow unauthenticated users to…

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.49%
90.3th percentile
The Booking calendar, Appointment Booking System WordPress plugin before 3.2.2 does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE

Affected

1 ranges
VendorProductVersion rangeFixed in
wpdevartbooking_calendar< 3.2.23.2.2

Detection & IOCsextracted from sources · hover to see the quote

url/wp-content/uploads/booking_calendar/{{randstr}}.php
path/wp-content/uploads/booking_calendar/
  • Detect unauthenticated file uploads to the booking_calendar uploads directory, specifically PHP files, which indicate exploitation of the unrestricted file upload vulnerability.
  • Monitor HTTP GET requests to /wp-content/uploads/booking_calendar/*.php — successful responses (200 OK) with PHP execution output indicate a successfully uploaded webshell.
  • Extract and monitor the wpdevart ajaxNonce value from page source; exploitation probes parse this nonce to authenticate subsequent malicious upload requests.
  • Probe responses are validated by matching an md5 hash of a known string in the response body, confirming PHP code execution on the server.
  • ·The vulnerability affects Booking calendar, Appointment Booking System WordPress plugin versions before 3.2.2 only; patched versions are not affected.
  • ·Exploitation is unauthenticated — no WordPress credentials are required, making this exploitable by any remote attacker.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.