WP Hotel Booking Plugin up to 2.0.7 on WordPress admin_init sql injection
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.9 | $0-$5k | 0.00 |
Summary
A vulnerability marked as critical has been reported in WP Hotel Booking Plugin up to 2.0.7 on WordPress. This impacts the function admin_init. The manipulation leads to sql injection.
This vulnerability is uniquely identified as CVE-2023-5652. No exploit exists.
It is suggested to upgrade the affected component.
Details
A vulnerability, which was classified as critical, has been found in WP Hotel Booking Plugin up to 2.0.7 on WordPress (Hospitality Software). This issue affects the function admin_init. The manipulation with an unknown input leads to a sql injection vulnerability. Using CWE to declare the problem leads to CWE-89. The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Impacted is confidentiality, integrity, and availability. The summary by CVE is:
The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not escape user input before using it in a SQL statement of a function hooked to admin_init, allowing unauthenticated users to perform SQL injections
The weakness was disclosed 11/20/2023 by Krzysztof Zając. The advisory is shared at wpscan.com. The identification of this vulnerability is CVE-2023-5652 since 10/19/2023. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1505 for this issue.
Upgrading to version 2.0.8 eliminates this vulnerability.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Product
Type
Name
Version
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 8.0VulDB Meta Temp Score: 7.9
VulDB Base Score: 6.3
VulDB Temp Score: 6.0
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 9.8
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Sql injectionCWE: CWE-89 / CWE-74 / CWE-707
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: WP Hotel Booking Plugin 2.0.8
Timeline
10/19/2023 🔍11/20/2023 🔍
11/20/2023 🔍
12/14/2023 🔍
Sources
Advisory: wpscan.comResearcher: Krzysztof Zając
Status: Confirmed
CVE: CVE-2023-5652 (🔍)
GCVE (CVE): GCVE-0-2023-5652
GCVE (VulDB): GCVE-100-245837
Entry
Created: 11/20/2023 20:46Updated: 12/14/2023 18:01
Changes: 11/20/2023 20:46 (42), 12/14/2023 18:01 (11)
Complete: 🔍
Cache ID: 216::103
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
No comments yet. Languages: en.
Please log in to comment.