WP Hotel Booking < 2.0.8 - Subscriber+ Arbitrary Post Deletion
CVE-2023-5651

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: WP Hotel Booking
Vendor: CVE Published:; 20 November 2023

Summary

The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not ensure that the package to be deleted is a package, allowing any authenticated users, such as subscriber to delete arbitrary posts

Affected Version(s)

WP Hotel Booking 0 < 2.0.8

References

https://wpscan.com/vulnerability/a365c050-96ae-4266-aa87-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 20, 2023
Vulnerability Reserved
Oct 19, 2023

Credit

Krzysztof Zając (CERT PL)

WPScan