CVE-2022-1952

Name of the Vulnerable Software and Affected Versions The Free Booking Plugin for Hotels, Restaurant and Car Rental WordPress plugin versions prior to 1.1.16

Description The issue arises from insufficient input validation, leading to arbitrary file upload and subsequently to remote code execution. An AJAX action accessible to unauthenticated users is affected by this issue. Although an allowlist of valid file extensions is defined, it is not used during the validation steps.

Recommendations For versions prior to 1.1.16, update to version 1.1.16 or later to resolve the issue. As a temporary workaround, consider restricting access to the AJAX action affected by this issue until a patch is available. Additionally, review and enforce the allowlist of valid file extensions to prevent unauthorized file uploads.