CVE-2022-1409
📋 TL;DR
This vulnerability allows authenticated administrators in the VikBooking WordPress plugin to upload PHP files disguised as images, potentially leading to remote code execution. It affects WordPress sites using vulnerable versions of the VikBooking Hotel Booking Engine & PMS plugin. Only users with administrator privileges can exploit this vulnerability.
💻 Affected Systems
- VikBooking Hotel Booking Engine & PMS WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with administrator access could upload a malicious PHP file, gain full control of the WordPress site, and potentially compromise the entire web server.
Likely Case
A compromised administrator account could upload a web shell, leading to data theft, defacement, or further lateral movement within the hosting environment.
If Mitigated
With proper access controls and file upload restrictions, the impact is limited to the specific WordPress instance, but could still lead to site compromise.
🎯 Exploit Status
Exploitation requires administrator credentials. The vulnerability is well-documented and weaponization is likely given the high impact.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.8
Vendor Advisory: https://wpscan.com/vulnerability/1330f8f7-4a59-4e9d-acae-21656a4101fe
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find VikBooking Hotel Booking Engine & PMS. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.5.8+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Restrict file upload extensions
allConfigure web server to block PHP file uploads through image upload endpoints
# For Apache: Add to .htaccess
<FilesMatch "\.(php|php5|php7|phtml)$">
Order Allow,Deny
Deny from all
</FilesMatch>
# For Nginx: Add to server block
location ~ \.php$ {
deny all;
}
Remove administrator access
allTemporarily revoke administrator privileges from untrusted users
# WordPress SQL command to demote users
UPDATE wp_users SET user_level = 0 WHERE user_login = 'username';
🧯 If You Can't Patch
- Disable the VikBooking plugin entirely until patched
- Implement strict file upload validation at the web application firewall level
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > VikBooking version. If version is below 1.5.8, the site is vulnerable.Check Version:
# WordPress CLI
wp plugin list --name=vikbooking --field=version
# Or check wp-content/plugins/vikbooking/readme.txtVerify Fix Applied:
Confirm VikBooking plugin version is 1.5.8 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to VikBooking endpoints
- PHP file execution from upload directories
- Administrator account performing unexpected file uploads
Network Indicators:
- POST requests to /wp-content/plugins/vikbooking/upload endpoints with PHP content
- Unusual outbound connections from web server after file upload
SIEM Query:
source="web_logs" AND (uri_path="/wp-content/plugins/vikbooking/*" AND method="POST") AND (file_extension="php" OR content_type="application/x-php")