Description

WordPress Plugin Booking Calendar is prone to a local file inclusion vulnerability because it fails to sufficiently verify user-supplied input. Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks. WordPress Plugin Booking Calendar version 7.0 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 7.1 or latest

References

http://defensecode.com/advisories/DC-2017-12-005_WordPress_Booking_Calendar_Plugin_Advisory.pdf

https://packetstormsecurity.com/files/145502/WordPress-Booking-Calendar-7.0-7.1-SQL-Injection-Local-File-Inclusion.html

Related Vulnerabilities

WordPress Plugin Genesis Simple Defaults Arbitrary File Upload (1.0.0)

WordPress Plugin Category List Portfolio Page TimThumb Arbitrary File Upload (1.2.3)

WordPress Plugin Numbers generator and validator Multiple Unspecified Vulnerabilities (1.02)

WordPress Plugin Contact Form by BestWebSoft Cross-Site Scripting (3.81)

WordPress Plugin 3D Banner Rotator 'upload.php' Arbitrary File Upload (2.1)

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Tags

Missing Update File Inclusion