← back
CVE-2022-3982

Booking Calendar < 3.2.2 - Unauthenticated Arbitrary File Upload

CVSS 9.8 CRITICALEPSS 4.5%
The Booking calendar, Appointment Booking System WordPress plugin before 3.2.2 does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Unknown · Booking calendar, Appointment Booking System
public PoCs found1
cve_referencewpscan.com/vulnerability/4d91f3e1-4de9-46c1-b5ba-cc55b7726867unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://wpscan.com/vulnerability/4d91f3e1-4de9-46c1-b5ba-cc55b7726867