VikBooking Hotel Booking Engine and PMS plugin for WordPress file upload | CVE-2022-27862
NAME
VikBooking Hotel Booking Engine and PMS plugin for WordPress file upload
- Platforms Affected:
WordPress VikBooking Hotel Booking Engine and PMS plugin for WordPress 1.5.3
WordPress VikBooking Hotel Booking Engine and PMS plugin for WordPress 1.5.2 - Risk Level:
9.8 - Exploitability:
Unproven - Consequences:
Gain Access
DESCRIPTION
VikBooking Hotel Booking Engine and PMS plugin for WordPress could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions by the signature upload on the booking form. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to upload a malicious PHP script, which could allow the attacker to execute arbitrary PHP code on the vulnerable system.
CVSS 3.0 Information
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Access Vector: Network
- Access Complexity: Low
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
- Remediation Level: Official Fix
MITIGATION
Upgrade to the latest version of VikBooking Hotel Booking Engine and PMS plugin for WordPress (1.5.8 or later), available from the WordPress Plugin Directory. See References.
- Reference Link:
https://patchstack.com/database/vulnerability/vikbooking/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-5-3-arbitrary-file-upload-leading-to-rce - Reference Link:
https://wordpress.org/plugins/vikbooking/
If you like the site, please consider joining the telegram channel and supporting us on Patreon using the button below.
