CVE-2022-3982
published 2022-12-12CVE-2022-3982: The Booking calendar, Appointment Booking System WordPress plugin before 3.2.2 does not validate uploaded files, which could allow unauthenticated users to…
PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.49%
90.3th percentile
The Booking calendar, Appointment Booking System WordPress plugin before 3.2.2 does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wpdevart | booking_calendar | < 3.2.2 | 3.2.2 |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-content/uploads/booking_calendar/{{randstr}}.php
path/wp-content/uploads/booking_calendar/
- →Detect unauthenticated file uploads to the booking_calendar uploads directory, specifically PHP files, which indicate exploitation of the unrestricted file upload vulnerability. ↗
- →Monitor HTTP GET requests to /wp-content/uploads/booking_calendar/*.php — successful responses (200 OK) with PHP execution output indicate a successfully uploaded webshell.
- →Extract and monitor the wpdevart ajaxNonce value from page source; exploitation probes parse this nonce to authenticate subsequent malicious upload requests.
- →Probe responses are validated by matching an md5 hash of a known string in the response body, confirming PHP code execution on the server.
- ·The vulnerability affects Booking calendar, Appointment Booking System WordPress plugin versions before 3.2.2 only; patched versions are not affected. ↗
- ·Exploitation is unauthenticated — no WordPress credentials are required, making this exploitable by any remote attacker. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7v4v-c3pr-fgrq: The Booking calendar, Appointment Booking System WordPress plugin before 3
ghsa_unreviewed·2022-12-12
CVE-2022-3982 [CRITICAL] CWE-434 GHSA-7v4v-c3pr-fgrq: The Booking calendar, Appointment Booking System WordPress plugin before 3
The Booking calendar, Appointment Booking System WordPress plugin before 3.2.2 does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE
VulnCheck
wpdevart booking_calendar Unrestricted Upload of File with Dangerous Type
vulncheck·2022·CVSS 9.8
CVE-2022-3982 [CRITICAL] wpdevart booking_calendar Unrestricted Upload of File with Dangerous Type
wpdevart booking_calendar Unrestricted Upload of File with Dangerous Type
The Booking calendar, Appointment Booking System WordPress plugin before 3.2.2 does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE
Affected: wpdevart booking_calendar
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-23&host_type=src&vulnerability=cve-2022-3982; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-02-01&host_type=src&vulnerability=cve-2022-3982; https://dashboard.shadowserver.or
No detection rules found.
Nuclei
WordPress Booking Calendar <3.2.2 - Arbitrary File Upload
nuclei·CVSS 9.8
CVE-2022-3982 [CRITICAL] WordPress Booking Calendar <3.2.2 - Arbitrary File Upload
WordPress Booking Calendar
--------------------------1cada150a8151a54--
- |
GET /wp-content/uploads/booking_calendar/{{randstr}}.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body_3
words:
- '{{md5(string)}}'
extractors:
- type: regex
name: nonce
group: 1
regex:
- var wpdevart.*"ajaxNonce":"(.*?)"
internal: true
# digest: 4a0a0047304502202c71ee6010c06226b4a6927f504271a847e882c299c9261109927e6769993361022100d0877033513bc154022e1c5ef2ac48ba649066e12067be345a6de6f08a4ad8c1:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2022-12-12
Published
Exploited in the wild