Cyber Resilience

CVE-2022-3982

CriticalPublic PoC

Published: 12 December 2022

Published
12 December 2022
Modified
22 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7200 98.8th percentile
Risk Priority 63 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-3982 is a critical-severity an unspecified weakness vulnerability in Wpdevart Booking Calendar. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Booking calendar Appointment Booking System WordPress plugin before version 3.2.2 contains a file-upload flaw that permits arbitrary files, including PHP scripts, to be accepted without validation. The affected component is the plugin's handling of uploaded content on WordPress sites, rated at CVSS 9.8 with network attack vector, no authentication, and full confidentiality, integrity, and availability impact.

Unauthenticated remote attackers can send crafted upload requests to place executable code on the server and subsequently invoke it to obtain remote code execution. Successful exploitation grants the attacker the ability to run arbitrary commands with the privileges of the web server process.

The referenced WPScan advisory identifies the issue in versions prior to 3.2.2 and indicates that updating to 3.2.2 or later resolves the missing validation. The EPSS score for this CVE reached a peak of 0.9058, demonstrating a clear rise in exploitation interest after disclosure.

EU & UK References

Vulnerability details

The Booking calendar, Appointment Booking System WordPress plugin before 3.2.2 does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

wpdevart
booking calendar
≤ 3.2.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References