WP Hotel Booking < 2.0.8 - Unauthenticated SQLi
CVE-2023-5652
9.8CRITICAL
Summary
The WP Hotel Booking plugin prior to version 2.0.8 lacks essential authorization and CSRF protections, which results in improper handling of user input. This oversight allows unauthenticated users to execute SQL injection attacks through functions linked to admin initialization, potentially compromising the integrity of the database and exposing sensitive information.
Affected Version(s)
WP Hotel Booking 0 < 2.0.8
References
CVSS V3.1
Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Krzysztof Zając (CERT PL)
WPScan