WP Hotel Booking < 2.0.8 - Unauthenticated SQLi
CVE-2023-5652

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: WP Hotel Booking
Vendor: CVE Published:; 20 November 2023

Summary

The WP Hotel Booking plugin prior to version 2.0.8 lacks essential authorization and CSRF protections, which results in improper handling of user input. This oversight allows unauthenticated users to execute SQL injection attacks through functions linked to admin initialization, potentially compromising the integrity of the database and exposing sensitive information.

Affected Version(s)

WP Hotel Booking 0 < 2.0.8

References

https://wpscan.com/vulnerability/8ea46b9a-5239-476b-949d-...

exploitvdb-entrytechnical-description

EPSS Score

18% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 20, 2023
Vulnerability Reserved
Oct 19, 2023

Credit

Krzysztof Zając (CERT PL)

WPScan