What is the CVSS score of CVE-2024-3022?

CVE-2024-3022 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 8.3%.

Which versions of BookingPress Plugin are affected by CVE-2024-3022?

BookingPress WordPress plugin (versions through 1.0.87) contains an authenticated file upload vulnerability enabling remote code execution by administrator-level users.. A patch is available.

Is there a public PoC exploit available for CVE-2024-3022?

Yes, a public proof-of-concept exploit is available for CVE-2024-3022. Prioritise patching immediately. EPSS: 8.3%.

How to fix or mitigate CVE-2024-3022?

Within 24 hours: identify all BookingPress plugin installations across WordPress environments and document current versions. Within 7 days: update to the patched version per Repute InfoSystems security advisory. Within 30 days: audit WordPress administrator account activity logs for suspicious file uploads and review administrator role assignments.

BookingPress Plugin CVE-2024-3022

HIGH

Unrestricted Upload of File with Dangerous Type (CWE-434)

2024-04-04 security@wordfence.com

File Upload RCE WordPress Bookingpress

7.2

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.2 HIGH

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Apr 08, 2026 - 17:22 nvd

Patch available

PoC Detected

Apr 08, 2026 - 17:18 vuln.today

Public exploit code

CVE Published

Apr 04, 2024 - 02:15 nvd

HIGH 7.2

DescriptionCVE.org

The BookingPress plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient filename validation in the 'bookingpress_process_upload' function in all versions up to, and including 1.0.87. This allows an authenticated attacker with administrator-level capabilities or higher to upload arbitrary files on the affected site's server, enabling remote code execution.

AnalysisAI

Authenticated arbitrary file upload in the BookingPress WordPress plugin (versions through 1.0.87) enables remote code execution by administrator-level users who can upload malicious files via the 'bookingpress_process_upload' function. Publicly available exploit code exists and EPSS places this in the 92nd percentile (8.31% probability), indicating elevated likelihood of exploitation attempts despite the high-privilege requirement. The flaw affects the free WordPress edition distributed by Repute InfoSystems.

Technical ContextAI

BookingPress is a WordPress appointment-booking plugin developed by Repute InfoSystems (CPE: cpe:2.3:a:reputeinfosystems:bookingpress) used to manage service scheduling and bookings on WordPress sites. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type): the 'bookingpress_process_upload' handler fails to properly validate filenames or extensions, so an attacker can supply a file whose name or extension causes PHP (or another server-interpreted handler) to execute the uploaded content when accessed via the web. Because WordPress administrators can install plugins and themes by design, this represents an additional vector that bypasses normal upload paths and is reachable through the plugin's own AJAX/REST endpoint regardless of stricter WordPress core upload filters.

RemediationAI

Patch available per vendor advisory - upgrade the BookingPress plugin to a version later than 1.0.87 (the version that introduced the fix should be verified against the Wordfence advisory and wordpress.org plugin page before deployment). As compensating controls until upgrade, restrict administrator account access via strong MFA and IP allowlisting on /wp-admin to reduce the attack surface that depends on a compromised admin, disable the BookingPress plugin entirely if it is not in active use (this disables booking functionality on the site), and configure the web server to deny PHP execution within the plugin's uploads directory (this prevents direct execution of uploaded payloads but may break legitimate plugin features that rely on serving uploaded files). A WAF rule blocking requests to the 'bookingpress_process_upload' AJAX action with executable extensions is an additional layer but is not a substitute for patching.

CVE-2024-3022 vulnerability details – vuln.today

Back

BookingPress Plugin CVE-2024-3022

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code