Remote Code Execution in wp-hotel-booking Plugin for WordPress
CVE-2020-29047

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: WP Hotel Booking
Vendor: CVE Published:; 3 March 2021

Summary

The wp-hotel-booking plugin for WordPress, through version 1.10.2, is vulnerable to remote code execution due to improper handling of the 'thimpress_hotel_booking_1' cookie. This vulnerability arises from an unserialize operation in the 'includes/class-wphb-sessions.php' file, enabling attackers to execute arbitrary code on the server. It is crucial for WordPress site administrators to review their installations and update to the latest version to mitigate potential exploitation risks.

References

https://wordpress.org/plugins/wp-hotel-booking/#developers

x_refsource_MISC

https://appcheck-ng.com/cve-2020-29047/

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 3, 2021
Vulnerability Reserved
Nov 24, 2020