CVE-2022-3982

CRITICAL EXPLOITED NUCLEI

Booking Calendar <3.2.2 - Unauthenticated RCE

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2022-3982 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.

Description

The Booking calendar, Appointment Booking System WordPress plugin before 3.2.2 does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE

Nuclei Templates (1)

WordPress Booking Calendar <3.2.2 - Arbitrary File Upload
CRITICALVERIFIEDby theamanrawat

References (1)

Core 1
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/4d91f3e1-4de9-46c1-b5ba-cc55b7726867

Scores

CVSS v3 9.8
EPSS 0.0449
EPSS Percentile 90.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2023-12-23
Status published
Products (1)
wpdevart/booking_calendar < 3.2.2
Published Dec 12, 2022
Tracked Since Feb 18, 2026