CVE-2022-1952
📋 TL;DR
This vulnerability allows unauthenticated attackers to upload arbitrary files to WordPress sites running the Free Booking Plugin for Hotels, Restaurant and Car Rental. This leads to remote code execution, enabling complete compromise of affected websites. All WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- Free Booking Plugin for Hotels, Restaurant and Car Rental WordPress plugin
📦 What is this software?
Easync by Syntacticsinc
⚠️ Risk & Real-World Impact
Worst Case
Complete server takeover with attacker gaining full control over the WordPress installation and potentially the underlying server, leading to data theft, defacement, or ransomware deployment.
Likely Case
Website defacement, malware injection, backdoor installation, credential theft, and use as part of botnets or phishing campaigns.
If Mitigated
No impact if plugin is patched or workarounds are properly implemented.
🎯 Exploit Status
Exploitation is trivial with publicly available proof-of-concept code; no authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.16
Vendor Advisory: https://wpscan.com/vulnerability/ecf61d17-8b07-4cb6-93a8-64c2c4fbbe04
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Free Booking Plugin for Hotels, Restaurant and Car Rental'. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 1.1.16+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allBlock access to the vulnerable AJAX action via web server configuration or WordPress hooks
# Add to .htaccess for Apache:
RewriteCond %{REQUEST_URI} ^/wp-admin/admin-ajax\.php$
RewriteCond %{QUERY_STRING} action=wbh_ajax_upload_file
RewriteRule ^ - [F,L]
# For Nginx:
location ~* /wp-admin/admin-ajax\.php$ {
if ($args ~* "action=wbh_ajax_upload_file") {
return 403;
}
}
Disable plugin
linuxTemporarily disable the vulnerable plugin until patched
wp plugin deactivate free-booking-plugin-for-hotels-restaurant-and-car-rental
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block file upload requests to the vulnerable AJAX endpoint
- Restrict file upload permissions and implement file integrity monitoring on WordPress uploads directory
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for 'Free Booking Plugin for Hotels, Restaurant and Car Rental' version numberCheck Version:
wp plugin list --name='free-booking-plugin-for-hotels-restaurant-and-car-rental' --field=versionVerify Fix Applied:
Confirm plugin version is 1.1.16 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=wbh_ajax_upload_file parameter
- File uploads to wp-content/uploads/ with unusual extensions (.php, .phtml, .phar)
- Unauthenticated requests to admin-ajax.php with file upload parameters
Network Indicators:
- Unusual outbound connections from WordPress server after file upload
- HTTP requests with multipart/form-data to admin-ajax.php from unauthenticated sources
SIEM Query:
source="web_logs" AND uri_path="/wp-admin/admin-ajax.php" AND http_method="POST" AND (query_string="*action=wbh_ajax_upload_file*" OR user_agent="*curl*" OR user_agent="*wget*")