CVE-2022-3982

CRITICAL EXPLOITED NUCLEI

Booking Calendar <3.2.2 - Unauthenticated RCE

Title source: llm

Description

The Booking calendar, Appointment Booking System WordPress plugin before 3.2.2 does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE

Nuclei Templates (1)

WordPress Booking Calendar <3.2.2 - Arbitrary File Upload

CRITICALVERIFIEDby theamanrawat

References (1)

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/4d91f3e1-4de9-46c1-b5ba-cc55b7726867

Scores

CVSS v3 9.8

EPSS 0.7418

EPSS Percentile 98.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2023-12-23

Status published

Products (1)

wpdevart/booking_calendar < 3.2.2

Published Dec 12, 2022

Tracked Since Feb 18, 2026