CVE-2024-38717
📋 TL;DR
This CVE describes a path traversal vulnerability in the Booking Ultra Pro WordPress plugin that allows attackers to include arbitrary local PHP files. This can lead to remote code execution, sensitive file disclosure, or server compromise. All WordPress sites running Booking Ultra Pro versions up to 1.1.13 are affected.
💻 Affected Systems
- Booking Ultra Pro - Appointments Booking Calendar Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise leading to data theft, ransomware deployment, or complete site takeover via remote code execution.
Likely Case
Sensitive file disclosure (configuration files, database credentials) leading to further attacks or data exfiltration.
If Mitigated
Limited impact if proper file permissions, web application firewalls, and input validation are in place.
🎯 Exploit Status
Path traversal vulnerabilities are typically easy to exploit with publicly available tools and techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.14 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Booking Ultra Pro. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.1.14+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rules
allImplement WAF rules to block path traversal patterns and local file inclusion attempts.
Depends on specific WAF platform - configure rules to block patterns like '../', '..\', and file inclusion attempts
Disable Plugin
linuxTemporarily disable the Booking Ultra Pro plugin until patched.
wp plugin deactivate booking-ultra-pro
🧯 If You Can't Patch
- Remove the Booking Ultra Pro plugin completely if not essential
- Implement strict file permissions and disable PHP execution in upload directories
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Booking Ultra Pro version. If version is 1.1.13 or lower, you are vulnerable.Check Version:
wp plugin get booking-ultra-pro --field=versionVerify Fix Applied:
Verify plugin version is 1.1.14 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual file path patterns in web server logs (e.g., '../', '..\')
- Requests to booking-ultra-pro files with suspicious parameters
- PHP error logs showing file inclusion errors
Network Indicators:
- HTTP requests with path traversal sequences targeting booking-ultra-pro endpoints
- Unusual file downloads from the server
SIEM Query:
web.url:*booking-ultra-pro* AND (web.uri:*../* OR web.uri:*..\* OR web.uri:*php://* OR web.uri:*file://*)🔗 References
- https://patchstack.com/database/vulnerability/booking-ultra-pro/wordpress-booking-ultra-pro-appointments-booking-calendar-plugin-1-1-13-local-file-inclusion-vulnerability?_s_id=cve
- https://patchstack.com/database/vulnerability/booking-ultra-pro/wordpress-booking-ultra-pro-appointments-booking-calendar-plugin-1-1-13-local-file-inclusion-vulnerability?_s_id=cve
