CVE-2022-1952 in Free Booking Plugin for Hotels, Restaurant and Car Rental Plugin
Summary
by MITRE • 07/11/2022
The Free Booking Plugin for Hotels, Restaurant and Car Rental WordPress plugin before 1.1.16 suffers from insufficient input validation which leads to arbitrary file upload and subsequently to remote code execution. An AJAX action accessible to unauthenticated users is affected by this issue. An allowlist of valid file extensions is defined but is not used during the validation steps.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/23/2026
The Free Booking Plugin for Hotels, Restaurant and Car Rental WordPress plugin presents a critical security vulnerability in versions prior to 1.1.16 that stems from inadequate input validation mechanisms. This flaw allows attackers to bypass security controls and upload malicious files to the target system, creating a pathway for remote code execution. The vulnerability specifically affects an AJAX action that is accessible to unauthenticated users, significantly expanding the attack surface and making the exploit accessible to anyone with basic internet connectivity. The plugin implements what appears to be a defensive measure by defining an allowlist of valid file extensions, yet this security control is effectively rendered useless due to the absence of proper validation during the file upload process.
The technical implementation of this vulnerability demonstrates a classic case of insecure file handling where the system relies on client-side validation that can be easily circumvented. The allowlist mechanism exists in the code but fails to be enforced during the actual upload validation phase, creating a false sense of security for administrators. Attackers can manipulate the file extension validation by simply renaming malicious files to match the allowed extensions, or by exploiting the lack of server-side validation to upload files with potentially dangerous content. This type of vulnerability falls under the CWE-434 category of Unrestricted Upload of File with Dangerous Type, which is classified as a high-risk security flaw due to its potential for remote code execution.
The operational impact of this vulnerability is severe as it allows unauthenticated attackers to gain remote code execution capabilities on the affected WordPress installation. Once an attacker successfully uploads a malicious file, they can execute arbitrary code on the server, potentially leading to complete system compromise, data exfiltration, and further lateral movement within the network. The AJAX endpoint that serves as the attack vector is particularly dangerous because it does not require authentication, making the exploitation process straightforward and accessible to attackers with minimal technical expertise. This vulnerability directly aligns with ATT&CK technique T1190 for Exploit Public-Facing Application and T1059 for Command and Scripting Interpreter, as it enables attackers to execute malicious code remotely.
Organizations running vulnerable versions of this plugin face significant risk of compromise, particularly those that host online booking systems for hotels, restaurants, or car rental services where sensitive customer data is processed. The vulnerability represents a critical weakness in the WordPress plugin ecosystem and demonstrates the importance of proper input validation and server-side security controls. The recommended mitigation involves immediate upgrading to version 1.1.16 or later, which addresses the validation bypass issue by properly implementing the defined file extension allowlist. Additionally, administrators should implement proper network segmentation, monitor for suspicious file uploads, and consider implementing web application firewalls to detect and block malicious upload attempts. The vulnerability also underscores the need for regular security audits of third-party plugins and the importance of validating security controls during the development lifecycle to prevent such implementation flaws from reaching production environments.