Cyber Resilience

CVE-2023-5991

CriticalPublic PoC

Published: 26 December 2023

Published
26 December 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7832 99.0th percentile
Risk Priority 67 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-5991 is a critical-severity Path Traversal (CWE-22) vulnerability in Motopress Hotel Booking Lite. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Hotel Booking Lite WordPress plugin before version 4.8.5 is affected by a path traversal vulnerability (CWE-22) that stems from missing validation of user-supplied file paths together with absent CSRF and authorization checks. The flaw carries a CVSS 3.1 score of 9.8 and permits unauthenticated remote interaction with arbitrary server files.

An attacker with no credentials can supply crafted paths to download or delete any file accessible to the web server process. Successful exploitation can result in disclosure of sensitive configuration or database files and in destructive modification of plugin or core WordPress assets, enabling further compromise of the site.

The referenced WPScan advisory identifies the issue in builds prior to 4.8.5 and indicates that updating to the fixed release eliminates the vulnerable code paths. The associated EPSS score has remained elevated, with a current value of 0.7832 and a recorded peak of 0.8014, reflecting sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

The Hotel Booking Lite WordPress plugin before 4.8.5 does not validate file paths provided via user input, as well as does not have proper CSRF and authorisation checks, allowing unauthenticated users to download and delete arbitrary files on the server

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

motopress
hotel booking lite
≤ 4.8.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References