CVE-2022-27862 – This vulnerability allows attackers to upload a... (How to Fix)

Q: How do I fix CVE-2022-27862?

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find VikBooking plugin. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and replace plugin files.

Q: What is the severity of CVE-2022-27862?

CVE-2022-27862 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to upload arbitrary files (including PHP shells) through the signature upload feature in the VikBooking WordPress plugin. Successful exploitation leads to remote code execution, potentially compromising the entire WordPress site. All WordPress sites running VikBooking Hotel Booking Engine & PMS plugin version 1.5.3 or earlier are affected.

📋 TL;DR

This vulnerability allows attackers to upload arbitrary files (including PHP shells) through the signature upload feature in the VikBooking WordPress plugin. Successful exploitation leads to remote code execution, potentially compromising the entire WordPress site. All WordPress sites running VikBooking Hotel Booking Engine & PMS plugin version 1.5.3 or earlier are affected.

💻 Affected Systems

Products:

VikBooking Hotel Booking Engine & PMS WordPress plugin

Versions: <= 1.5.3

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configuration of affected versions. Requires WordPress installation with the vulnerable plugin.

📦 What is this software?

Vikbooking Hotel Booking Engine \& Property Management System Plugin by Vikwp

View all CVEs affecting Vikbooking Hotel Booking Engine \& Property Management System Plugin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data theft, malware deployment, ransomware attacks, or use as a foothold for lateral movement within the network.

🟠

Likely Case

Website defacement, data exfiltration, backdoor installation, and unauthorized access to sensitive booking information.

🟢

If Mitigated

Limited impact with proper file upload restrictions, but still poses significant risk if other security controls fail.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires no authentication and is straightforward via web interface. Public exploit details available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.4 or later

Vendor Advisory: https://wordpress.org/plugins/vikbooking/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find VikBooking plugin. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Disable signature upload feature

all

Temporarily disable the vulnerable signature upload functionality in booking forms

Restrict file upload extensions

linux

Configure web server to block PHP file uploads to the plugin's upload directory

# Apache: Add to .htaccess in upload directory
<FilesMatch "\.(php|php3|php4|php5|phtml|pl|py|jsp|asp|sh|cgi)$">
  Order Allow,Deny
  Deny from all
</FilesMatch>
# Nginx: Add to server block
location ~* \.(php|php3|php4|php5|phtml|pl|py|jsp|asp|sh|cgi)$ {
  deny all;
}

🧯 If You Can't Patch

Immediately disable the VikBooking plugin entirely
Implement WAF rules to block file uploads containing PHP code or shell patterns

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for VikBooking version. If version is 1.5.3 or lower, system is vulnerable.

Check Version:

# From WordPress root directory
grep -r "Version:" wp-content/plugins/vikbooking/vikbooking.php | head -1

Verify Fix Applied:

Verify plugin version shows 1.5.4 or higher in WordPress admin panel. Test signature upload functionality with malicious file to confirm rejection.

📡 Detection & Monitoring

Log Indicators:

Multiple failed file upload attempts to /wp-content/uploads/vikbooking/
Successful upload of .php files to plugin upload directory
Unusual POST requests to booking form endpoints

Network Indicators:

POST requests with file uploads to /wp-content/plugins/vikbooking/ endpoints
Outbound connections from web server to unfamiliar IPs after file upload

SIEM Query:

source="web_server_logs" AND (uri_path="/wp-content/plugins/vikbooking/" AND method="POST" AND file_extension="php")

📊 Metadata

CVE ID: CVE-2022-27862

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: April 19, 2022

Last Updated: November 21, 2024

🔗 References

https://patchstack.com/database/vulnerability/vikbooking/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-5-3-arbitrary-file-upload-leading-to-rce Release Notes,Third Party Advisory
https://wordpress.org/plugins/vikbooking/#developers Release Notes,Vendor Advisory
https://patchstack.com/database/vulnerability/vikbooking/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-5-3-arbitrary-file-upload-leading-to-rce Release Notes,Third Party Advisory
https://wordpress.org/plugins/vikbooking/#developers Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-27862, you might also want to check these: