A critical arbitrary file upload flaw in the PhysCode Travel Booking plugin allows authenticated subscribers to achieve remote code execution.

This vulnerability allows an authenticated user with subscriber-level permissions to bypass file type restrictions, facilitating the upload and execution of arbitrary code on the server.

The ability for a low-privileged user to execute arbitrary code poses a critical risk to the confidentiality and integrity of the application. With a CVSS score of 9.9, this vulnerability could be exploited to gain persistent access, steal customer booking data, or redirect traffic, causing significant reputational and financial harm.

Immediate Action: Apply the latest vendor-supplied patch to the Travel Booking plugin to address the file upload validation flaw.

Proactive Monitoring: Monitor server activity for any unexpected file uploads or unauthorized modifications to the web root directory.

Compensating Controls: Use a WAF to inspect and block malicious file upload attempts, and consider disabling file upload features in the plugin until an update is applied.

Public Exploit Available: Unknown

Urgent remediation is required to mitigate this risk. Administrators should update the Travel Booking plugin immediately and audit existing subscriber accounts to ensure no malicious activity has already occurred within the environment.