CVE-2023-5652
Published: 20 November 2023
Summary
CVE-2023-5652 is a critical-severity SQL Injection (CWE-89) vulnerability in Thimpress Wp Hotel Booking. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The WP Hotel Booking WordPress plugin before version 2.0.8 is affected by a SQL injection vulnerability (CWE-89). The root cause is the absence of authorization and CSRF checks on a function attached to admin_init that incorporates unsanitized user input directly into a SQL statement, enabling unauthenticated attackers to manipulate database queries.
Unauthenticated remote attackers can exploit the flaw over the network without user interaction to execute arbitrary SQL commands against the underlying database. Successful exploitation yields complete control over confidentiality, integrity, and availability of the affected WordPress site, consistent with the CVSS 3.1 base score of 9.8.
Public references hosted by WPScan document the issue and identify the vulnerable plugin versions, directing administrators to apply the vendor fix in release 2.0.8 or later. The associated EPSS score reached a peak of 0.7806 after disclosure before receding to its current value of 0.6658.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-57945
Vulnerability details
The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not escape user input before using it in a SQL statement of a function hooked to admin_init, allowing unauthenticated users to…
more
perform SQL injections
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.