High severity7.2NVD Advisory· Published Apr 4, 2024· Updated Apr 8, 2026
CVE-2024-3022
CVE-2024-3022
Description
The BookingPress plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient filename validation in the 'bookingpress_process_upload' function in all versions up to, and including 1.0.87. This allows an authenticated attacker with administrator-level capabilities or higher to upload arbitrary files on the affected site's server, enabling remote code execution.
Affected products
1- cpe:2.3:a:reputeinfosystems:bookingpress:*:*:*:*:free:wordpress:*:*Range: <=1.0.87
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- plugins.trac.wordpress.org/changeset/3061435/bookingpress-appointment-booking/trunk/core/classes/class.bookingpress_fileupload_class.phpnvdPatch
- r0ot.notion.site/BookingPress-1-0-84-Authenticated-Administrator-Arbitrary-File-Upload-lead-to-RCE-e2603371c0c14d828144e26f2fdc1d01nvdExploitThird Party Advisory
- www.wordfence.com/threat-intel/vulnerabilities/id/049ec264-3ed1-4741-937d-8a633ef0a627nvdThird Party Advisory
News mentions
0No linked articles in our index yet.