Unauthenticated PHP Object Injection Vulnerability in Hotel Booking Lite Plugin
CVE-2024-4413
9.8CRITICAL
Key Information
- Vendor
- Jetmonsters
- Status
- Hotel Booking Lite
- Vendor
- CVE Published:
- 14 May 2024
Summary
The Hotel Booking Lite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.11.1 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Affected Version(s)
Hotel Booking Lite * <= 4.11.1
References
CVSS V3.1
Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Collectors
NVD DatabaseMitre Database
Credit
Trinh Vu