Unauthenticated PHP Object Injection Vulnerability in Hotel Booking Lite Plugin
CVE-2024-4413

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: Hotel Booking Lite
Vendor: CVE Published:; 14 May 2024

Summary

The Hotel Booking Lite plugin for WordPress contains a vulnerability related to PHP Object Injection that arises from the deserialization of untrusted input. All versions up to and including 4.11.1 are affected. This flaw allows unauthenticated attackers to inject PHP Objects, posing significant risks, particularly if a PHP Object Pollution (POP) chain is achieved through another malicious plugin or theme on the target website. Such exploitation could lead to unauthorized file deletions, retrieval of sensitive information, or arbitrary code execution, thereby compromising the integrity and security of the affected WordPress site.

Affected Version(s)

Hotel Booking Lite * <= 4.11.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/motopress-hote...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 14, 2024
Vulnerability Reserved
May 2, 2024

Credit

Trinh Vu