Back to KEVs

CVE-2022-1952

eaSYNC < 1.1.16 - Unauthenticated Arbitrary File Upload

Basic Information

CVE State
PUBLISHED
Reserved Date
May 31, 2022
Published Date
July 11, 2022
Last Updated
August 03, 2024
Vendor
Syntactics, Inc.
Product
Free Booking Plugin for Hotels, Restaurant and Car Rental – eaSYNC
Description
The Free Booking Plugin for Hotels, Restaurant and Car Rental WordPress plugin before 1.1.16 suffers from insufficient input validation which leads to arbitrary file upload and subsequently to remote code execution. An AJAX action accessible to unauthenticated users is affected by this issue. An allowlist of valid file extensions is defined but is not used during the validation steps.
Tags
wordpress nuclei_scanner

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Score

Score
89.24% (Percentile: 99.51%) as of 2025-06-14

Exploit Status

Exploited in the Wild
Yes (2025-05-28 00:00:00 UTC) Source

References

https://wpscan.com/vulnerability/ecf61d17-8b07-4cb6-93a8-64c2c4fbbe04

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2025-05-29 12:00:37 UTC

Scanner Integrations

Scanner URL Date Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-1952.yaml 2025-04-26 00:00:00 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Detected by Nuclei

  • Added to KEVIntel