CVE-2022-3982 is a critical vulnerability affecting the Booking calendar, Appointment Booking System WordPress plugin versions prior to 3.2.2. The core issue is an unrestricted file upload flaw (CWE-434), where the plugin fails to properly validate the type of files uploaded by users. This lack of validation allows unauthenticated attackers to upload arbitrary files, including malicious PHP scripts. Once uploaded, these scripts can be executed on the server, leading to Remote Code Execution (RCE). The vulnerability is particularly severe because it requires no authentication or user interaction, making exploitation straightforward for attackers scanning for vulnerable WordPress sites. The CVSS v3.1 base score of 9.8 reflects the high impact on confidentiality, integrity, and availability, combined with the ease of exploitation over the network without privileges. The vulnerability affects an unknown vendor's plugin, which is used for appointment booking and calendar management on WordPress sites. Although no public exploits have been reported in the wild as of the published date, the nature of the vulnerability and its critical severity suggest a high risk of exploitation if unpatched. The absence of patch links indicates that users must verify plugin updates or seek vendor guidance to mitigate the risk. The vulnerability is assigned by WPScan and enriched by CISA, underscoring its significance in the WordPress ecosystem.

For European organizations, this vulnerability poses a significant threat, especially those relying on WordPress-based appointment booking systems for customer interaction, healthcare scheduling, service industries, and public sector portals. Exploitation could lead to full system compromise, data breaches involving sensitive customer or patient information, disruption of services, and potential lateral movement within corporate networks. Given the criticality and unauthenticated nature of the exploit, attackers could deface websites, deploy ransomware, or use compromised servers as pivot points for broader attacks. The impact is amplified for organizations with strict data protection regulations such as GDPR, where breaches can result in substantial fines and reputational damage. Additionally, sectors with high reliance on online booking systems, such as hospitality, healthcare, and government services, are at elevated risk. The vulnerability could also be leveraged for supply chain attacks if the compromised WordPress sites serve as entry points to larger enterprise networks.

1. Immediate verification and upgrade of the Booking calendar, Appointment Booking System WordPress plugin to version 3.2.2 or later, where the vulnerability is patched. 2. If an official patch is unavailable, temporarily disable or remove the plugin to prevent exploitation. 3. Implement web application firewalls (WAFs) with rules to detect and block suspicious file uploads, particularly those attempting to upload PHP or other executable files. 4. Enforce strict file upload restrictions at the server level, including limiting allowed MIME types and extensions, and scanning uploads with antivirus and malware detection tools. 5. Harden WordPress installations by disabling PHP execution in upload directories via .htaccess or server configuration to mitigate impact if malicious files are uploaded. 6. Monitor web server logs for unusual upload activity or access to unexpected files. 7. Conduct regular security audits and vulnerability scans focusing on plugins and third-party components. 8. Educate site administrators on the risks of outdated plugins and the importance of timely updates. 9. Consider isolating WordPress instances in segmented network zones to limit potential lateral movement in case of compromise.