CVE-2022-1952
CRITICAL EXPLOITED NUCLEIeasync < 1.1.16 - Unauthenticated Arbitrary File Upload and Remote Code Execution via AJAX Action
Title source: llmExploitation Summary
CVE-2022-1952 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
The Free Booking Plugin for Hotels, Restaurant and Car Rental WordPress plugin before 1.1.16 suffers from insufficient input validation which leads to arbitrary file upload and subsequently to remote code execution. An AJAX action accessible to unauthenticated users is affected by this issue. An allowlist of valid file extensions is defined but is not used during the validation steps.
Nuclei Templates (1)
WordPress eaSYNC Booking <1.1.16 - Arbitrary File Upload
CRITICALVERIFIEDby theamanrawat
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/ecf61d17-8b07-4cb6-93a8-64c2c4fbbe04
Scores
CVSS v3
9.8
EPSS
0.1757
EPSS Percentile
96.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
VulnCheck KEV
2024-01-22
CWE
CWE-434
Status
published
Products (1)
syntacticsinc/easync
< 1.1.16
Published
Jul 11, 2022
Tracked Since
Feb 18, 2026