CVE-2022-1952: 
WordPress vulnerability analysis and mitigation

The Free Booking Plugin for Hotels, Restaurant and Car Rental WordPress plugin (eaSYNC) before version 1.1.16 was identified with CVE-2022-1952. This vulnerability was discovered and publicly disclosed on June 15, 2022. The issue affects the WordPress plugin easync-booking, which is commonly used for hotel, restaurant, and car rental booking systems (WPScan, CVE Mitre).

The vulnerability stems from insufficient input validation in the plugin's file upload functionality. Specifically, while the plugin implements an allowlist of valid file extensions, these validation steps are not properly enforced. The vulnerability is exposed through an AJAX action that is accessible to unauthenticated users. The issue allows for arbitrary file upload capabilities, which can lead to remote code execution on the affected systems (WPScan).

The vulnerability allows unauthenticated attackers to upload arbitrary files to the affected WordPress installations. This can lead to remote code execution, potentially giving attackers complete control over the affected website. The ability to execute arbitrary code without authentication represents a critical security risk for affected installations (WPScan).

The vulnerability has been fixed in version 1.1.16 of the eaSYNC plugin. Website administrators running affected versions should immediately upgrade to version 1.1.16 or later to protect their installations (WPScan).