CVE-2024-3022 – The BookingPress WordPress plugin allows authen... (How to Fix)

Q: What is the severity of CVE-2024-3022?

CVE-2024-3022 has a CVSS score of 7.2 (HIGH). The BookingPress WordPress plugin allows authenticated administrators to upload arbitrary files due to insufficient filename validation. This vulnerability enables remote code execution on affected WordPress sites. Only sites running BookingPress versions up to 1.0.87 are impacted.

📋 TL;DR

The BookingPress WordPress plugin allows authenticated administrators to upload arbitrary files due to insufficient filename validation. This vulnerability enables remote code execution on affected WordPress sites. Only sites running BookingPress versions up to 1.0.87 are impacted.

💻 Affected Systems

Products:

BookingPress Appointment Booking WordPress Plugin

Versions: All versions up to and including 1.0.87

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to have administrator-level WordPress access.

📦 What is this software?

Bookingpress by Reputeinfosystems

View all CVEs affecting Bookingpress →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise leading to data theft, malware deployment, or complete site takeover.

🟠

Likely Case

Unauthorized file upload leading to backdoor installation and persistent access.

🟢

If Mitigated

Limited impact if proper file permissions and web application firewalls are in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires administrator credentials but is straightforward once obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.88 and later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3061435/bookingpress-appointment-booking/trunk/core/classes/class.bookingpress_fileupload_class.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find BookingPress and click 'Update Now'. 4. Verify version is 1.0.88 or higher.

🔧 Temporary Workarounds

Disable BookingPress Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate bookingpress-appointment-booking

Restrict File Uploads via .htaccess

linux

Block execution of uploaded files in the uploads directory.

<FilesMatch "\.(php|phtml|php3|php4|php5|php7|phps|php8|inc|pl|py|jsp|asp|htm|html|shtml|sh|cgi)">
  Order Allow,Deny
  Deny from all
</FilesMatch>

🧯 If You Can't Patch

Remove administrator access from untrusted users.
Implement web application firewall rules to block file uploads to BookingPress endpoints.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > BookingPress version. If version is 1.0.87 or lower, you are vulnerable.

Check Version:

wp plugin get bookingpress-appointment-booking --field=version

Verify Fix Applied:

After updating, confirm BookingPress version is 1.0.88 or higher in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to /wp-content/uploads/bookingpress/
POST requests to /wp-admin/admin-ajax.php with action=bookingpress_process_upload

Network Indicators:

HTTP POST requests containing malicious file uploads to BookingPress endpoints

SIEM Query:

source="*access.log*" AND (uri_path="/wp-admin/admin-ajax.php" AND post_data="bookingpress_process_upload")

📊 Metadata

CVE ID: CVE-2024-3022

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: April 4, 2024

Last Updated: March 13, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3022, you might also want to check these: