Attack Vectors

CVE-2024-31115 is a Critical vulnerability (CVSS 10.0) affecting the Chauffeur Taxi Booking System for WordPress plugin (slug: chauffeur-booking-system) in versions 7.2 and earlier. Because the issue is unauthenticated, an external attacker can attempt exploitation over the internet without needing a login.

In practical terms, attackers can target the site endpoints that handle uploads and attempt to place a malicious file onto the server. If successful, this can be used as a stepping stone to deeper compromise, potentially including remote code execution.

Security Weakness

The plugin is vulnerable to arbitrary file upload due to missing file type validation (per the published advisory) in all versions up to and including 7.2. When upload controls do not properly restrict what file types are allowed, an attacker may be able to upload server-executable files instead of safe content.

Reference: CVE-2024-31115 (CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Source advisory: Wordfence vulnerability record.

Remediation: Update the Chauffeur Taxi Booking System for WordPress plugin to version 7.3 or a newer patched release.

Technical or Business Impacts

This vulnerability can create a direct path from “public internet” to “server compromise.” Depending on what an attacker is able to upload and execute, impacts may include unauthorized access to website files and databases, defacement, malware distribution to customers, creation of hidden admin accounts, or the ability to pivot into other systems connected to the site.

For business leaders, the primary risks are brand damage (customers losing trust after a hacked booking experience), operational disruption (bookings down, revenue loss, incident response time), and compliance exposure (especially if customer contact details, booking data, or payment-related workflows are affected). A Critical severity rating (CVSS 10.0) typically warrants expedited patching and verification that no unauthorized files were placed on the server.

Similar Attacks

Unrestricted or weakly validated file uploads are a recurring cause of large-scale website compromise because they can enable attackers to place executable code on a server. One widely reported example is the WP File Manager plugin vulnerability (CVE-2020-25213), which was leveraged to compromise many WordPress sites: NVD entry for CVE-2020-25213.