First published: Mon Nov 20 2023(Updated: )
The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not escape user input before using it in a SQL statement of a function hooked to admin_init, allowing unauthenticated users to perform SQL injections
Credit: contact@wpscan.com
Affected Software | Affected Version | How to fix |
---|---|---|
Thimpress Wp Hotel Booking | <2.0.8 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2023-5652 is critical.
The vulnerability in WP Hotel Booking < 2.0.8 is an unauthenticated SQL injection (SQLi).
The vulnerability in WP Hotel Booking < 2.0.8 allows unauthenticated users to perform SQL injections due to the lack of authorization and Cross-Site Request Forgery (CSRF) checks, as well as the failure to escape user input in a SQL statement.
The affected software version of the WP Hotel Booking plugin is up to and excluding 2.0.8.
Yes, updating WP Hotel Booking to version 2.0.8 or later will fix CVE-2023-5652.