CVE-2023-6219: Malicious File Upload
First published: Tue Nov 28 2023(Updated: )
The BookingPress plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation on the 'bookingpress_process_upload' function in versions up to, and including, 1.0.76. This makes it possible for authenticated attackers with administrator-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Reputeinfosystems Bookingpress | <=1.0.76 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.wordfence.com/threat-intel/vulnerabilities/id/710b8e4e-01de-4e99-8cf2-31abc2419b29?source=cve
- https://plugins.trac.wordpress.org/browser/bookingpress-appointment-booking/tags/1.0.76/core/classes/class.bookingpress_fileupload_class.php#L140
- https://plugins.trac.wordpress.org/changeset/3001484/bookingpress-appointment-booking/trunk/core/classes/class.bookingpress_settings.php
- https://plugins.trac.wordpress.org/changeset/3001484/bookingpress-appointment-booking/trunk/core/classes/class.bookingpress_fileupload_class.php
Frequently Asked Questions
What is CVE-2023-6219?
CVE-2023-6219 is a vulnerability in the BookingPress plugin for WordPress that allows authenticated attackers with administrator-level capabilities or above to upload arbitrary files due to insufficient file validation.
How severe is CVE-2023-6219?
CVE-2023-6219 has a severity keyword of 'high' and a severity value of 7.2.
How does CVE-2023-6219 affect the BookingPress plugin?
CVE-2023-6219 affects the BookingPress plugin for WordPress up to and including version 1.0.76 by allowing authenticated attackers with administrator-level capabilities or above to upload arbitrary files.
How can I fix CVE-2023-6219?
To fix CVE-2023-6219, update the BookingPress plugin to a version that includes a fix for the vulnerability, or apply a patch provided by the plugin vendor.
Is there any additional information about CVE-2023-6219?
Yes, you can find additional information about CVE-2023-6219 at the following references: [1] [2] [3]
- collector/nvd-api
- agent/references
- agent/event
- agent/type
- agent/softwarecombine
- agent/last-modified-date
- agent/first-publish-date
- agent/tags
- agent/remedy
- agent/weakness
- agent/author
- agent/severity
- collector/epss-latest
- source/FIRST
- agent/description
- agent/epss
- collector/mitre-cve
- source/MITRE
- vendor/reputeinfosystems
- canonical/reputeinfosystems bookingpress
- version/reputeinfosystems bookingpress/1.0.76