CVE-2022-3982: 
WordPress vulnerability analysis and mitigation

The Booking Calendar WordPress plugin (versions before 3.2.2) contains a critical vulnerability identified as CVE-2022-3982. The vulnerability was publicly disclosed on November 21, 2022, affecting both the standard booking-calendar plugin and booking-calendar-pro-payment versions. This security flaw received a CVSS v3 Base Score of 9.8 (Critical), indicating its severe nature (AttackerKB, WPScan).

The vulnerability stems from the plugin's failure to properly validate uploaded files, allowing unauthenticated users to upload arbitrary files, including PHP files. The exploitation process involves navigating to the main WordPress page as an unauthenticated user, extracting a valid nonce from the page source, and using cURL to upload malicious files to the '/wp-content/uploads/booking_calendar/' directory (WPScan).

The vulnerability enables Remote Code Execution (RCE) capabilities, allowing attackers to execute arbitrary code on the affected system. With no authentication required and the ability to upload malicious files, attackers can potentially gain complete control over the affected WordPress installation (WPScan).

The vulnerability has been patched in version 3.2.2 of the booking-calendar plugin and version 21.1 of the booking-calendar-pro-payment plugin. Users are strongly advised to update to these versions or later to mitigate the risk (WPScan).