Vulnerability detail

Enriched intelligence for a single CVE

PRO Back to KEVs

9.8

CVSS
Critical

CVE-2022-1952

PUBLISHED

eaSYNC < 1.1.16 - Unauthenticated Arbitrary File Upload

Exploited in the wild Remote Low complexity No user interaction

Vendor: Unknown
Product: Free Booking Plugin for Hotels, Restaurant and Car Rental – eaSYNC
Published: Jul 11, 2022
EPSS: —

Automate this intelligence with the Pro API

Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.

Learn about Pro

Description

The Free Booking Plugin for Hotels, Restaurant and Car Rental WordPress plugin before 1.1.16 suffers from insufficient input validation which leads to arbitrary file upload and subsequently to remote code execution. An AJAX action accessible to unauthenticated users is affected by this issue. An allowlist of valid file extensions is defined but is not used during the validation steps.

nuclei_scanner

Weaknesses (CWE)

CWE-434

Unrestricted Upload of File with Dangerous Type

CVSS scores

CVSS v3.1 9.8 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0 7.5 High

AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitation status

Exploited in the wild

Recorded 2025-07-06 00:00:00 UTC · The Shadowserver (via CIRCL)

References

https://wpscan.com/vulnerability/ecf61d17-8b07-4cb6-93a8-64c2c4fbbe04

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source	Added
The Shadowserver (via CIRCL) First	2025-07-06 00:00 UTC

Scanner integrations

Scanner	Reference	Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-1952.yaml	Apr 25, 2025

Timeline

CVE ID Reserved

2022-05-31 00:00 UTC
CVE Published to Public

2022-07-11 12:56 UTC
Detected by Nuclei

2025-04-25 00:00 UTC
Added to KEVIntel

2025-07-06 00:00 UTC