Main Vulnerability Database Exploits ID:7823 - Exploit for Arbitrary file upload in Booked - Appointment Booking for WordPress - CVE-2019-9581

ID:7823 - Exploit for Arbitrary file upload in Booked - Appointment Booking for WordPress - CVE-2019-9581

Published: May 13, 2022

Vulnerability identifier: #VU36082

Vulnerability risk: High

CVE-ID: CVE-2019-9581

CWE-ID: CWE-434

Exploitation vector: Remote access

Vulnerable software:
Booked - Appointment Booking for WordPress

Link to public exploit:

https://www.exploit-db.com/exploits/50594/

Vulnerability description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to the application allows unrestricted upload of dangerous files in Favicon field, leading to execution of arbitrary Web/custom-favicon.php PHP code, because Presenters/Admin/ManageThemePresenter.php does not ensure an image file extension. A remote attacker can upload a malicious file and execute it on the server.

Remediation

Install update from vendor's website.

ID:7823 - Exploit for Arbitrary file upload in Booked - Appointment Booking for WordPress - CVE-2019-9581

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human