CVE-2022-3982

high-risk
Published 2022-12-12

The Booking calendar, Appointment Booking System WordPress plugin before 3.2.2 does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE

Do I need to act?

!
74.3% chance of exploitation in next 30 days
EPSS score — higher than 26% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Booking Calendar

Affected Vendors

Wpdevart

References (2)

Exploit https://wpscan.com/vulnerability/4d91f3e1-4de9-46c1-b5ba-cc55b7726867
Exploit https://wpscan.com/vulnerability/4d91f3e1-4de9-46c1-b5ba-cc55b7726867
56
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 19/34 · Moderate
Exposure 5/34 · Minimal