CVE-2020-29047

2021-03-03T18:15:00

Description

The wp-hotel-booking plugin through 1.10.2 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the thimpress_hotel_booking_1 cookie in load in includes/class-wphb-sessions.php.

Affected Software

CPE Name	Name	Version
thimpress:wp_hotel_booking	thimpress wp hotel booking	1.10.2

{"id": "CVE-2020-29047", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2020-29047", "description": "The wp-hotel-booking plugin through 1.10.2 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the thimpress_hotel_booking_1 cookie in load in includes/class-wphb-sessions.php.", "published": "2021-03-03T18:15:00", "modified": "2021-03-10T13:21:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29047", "reporter": "cve@mitre.org", "references": ["https://appcheck-ng.com/cve-2020-29047/", "https://wordpress.org/plugins/wp-hotel-booking/#developers"], "cvelist": ["CVE-2020-29047"], "immutableFields": [], "lastseen": "2022-03-23T17:20:39", "viewCount": 21, "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2020-3337"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E11265F5-39ED-4415-8376-4F092EF12003"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E11265F5-39ED-4415-8376-4F092EF12003"]}], "rev": 4}, "score": {"value": 7.9, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2020-3337"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E11265F5-39ED-4415-8376-4F092EF12003"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E11265F5-39ED-4415-8376-4F092EF12003"]}]}, "exploitation": null, "vulnersScore": 7.9}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/a:thimpress:wp_hotel_booking:1.10.2"], "cpe23": ["cpe:2.3:a:thimpress:wp_hotel_booking:1.10.2:*:*:*:*:wordpress:*:*"], "cwe": ["CWE-502"], "affectedSoftware": [{"cpeName": "thimpress:wp_hotel_booking", "version": "1.10.2", "operator": "le", "name": "thimpress wp hotel booking"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:thimpress:wp_hotel_booking:1.10.2:*:*:*:*:wordpress:*:*", "versionEndIncluding": "1.10.2", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://appcheck-ng.com/cve-2020-29047/", "name": "https://appcheck-ng.com/cve-2020-29047/", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://wordpress.org/plugins/wp-hotel-booking/#developers", "name": "https://wordpress.org/plugins/wp-hotel-booking/#developers", "refsource": "MISC", "tags": ["Product", "Third Party Advisory"]}]}

{"checkpoint_advisories": [{"lastseen": "2022-02-16T19:33:10", "description": "A remote code execution vulnerability exists in WordPress Hotel Booking Plugin. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-02T00:00:00", "type": "checkpoint_advisories", "title": "WordPress Hotel Booking Plugin Remote Code Execution (CVE-2020-29047)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-29047"], "modified": "2021-05-02T00:00:00", "id": "CPAI-2020-3337", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "wpexploit": [{"lastseen": "2021-03-17T18:43:31", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-29047"], "description": "The plugin unserialised the value in the thimpress_hotel_booking_1 cookie without sanitisation, which could lead to an unauthenticated PHP Object Injection. If the plugin is installed on WP < 5.5.2, then there is a suitable gadget chain to obtain RCE, otherwise, another gadget chain will have to be used (ie from another installed plugin for instance). The fix attempted in 1.10.3 (ie sanitising the cookie value through sanitize_text_field() does nothing against PHP Object Injection and the plugin is still vulnerable, despite the original advisory stating that the issue has been fixed. This has been escalated to the WordPress plugin team on March 4th, 2021.\n", "modified": "2021-03-11T06:00:58", "published": "2020-12-08T00:00:00", "id": "WPEX-ID:E11265F5-39ED-4415-8376-4F092EF12003", "href": "", "type": "wpexploit", "title": "WP Hotel Booking <= 1.10.3 - Unauthenticated PHP Object Injection", "sourceData": "The PoC will be displayed once the issue has been remediated", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "patchstack": [{"lastseen": "2022-06-01T19:33:11", "description": "Unauthenticated Remote Code Execution (RCE) via Arbitrary Object Deserialisation vulnerability discovered by Nick Blundell (AppCheck Ltd) in WordPress WP Hotel Booking plugin (versions <= 1.10.2).\n\n## Solution\n\n\r\n Update the WordPress WP Hotel Booking plugin to the latest available version (at least 1.10.3).\r\n ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-03T00:00:00", "type": "patchstack", "title": "WordPress WP Hotel Booking plugin <= 1.10.2 - Unauthenticated Remote Code Execution (RCE) via Arbitrary Object Deserialisation vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-29047"], "modified": "2021-03-03T00:00:00", "id": "PATCHSTACK:E1D746F6C1EFAF887A6B1A53391D1FBE", "href": "https://patchstack.com/database/vulnerability/wp-hotel-booking/wordpress-wp-hotel-booking-plugin-1-10-2-unauthenticated-remote-code-execution-rce-via-arbitrary-object-deserialisation-vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "wpvulndb": [{"lastseen": "2021-03-17T18:43:31", "bulletinFamily": "software", "cvelist": ["CVE-2020-29047"], "description": "The plugin unserialised the value in the thimpress_hotel_booking_1 cookie without sanitisation, which could lead to an unauthenticated PHP Object Injection. If the plugin is installed on WP < 5.5.2, then there is a suitable gadget chain to obtain RCE, otherwise, another gadget chain will have to be used (ie from another installed plugin for instance). The fix attempted in 1.10.3 (ie sanitising the cookie value through sanitize_text_field() does nothing against PHP Object Injection and the plugin is still vulnerable, despite the original advisory stating that the issue has been fixed. This has been escalated to the WordPress plugin team on March 4th, 2021.\n\n### PoC\n\nThe PoC will be displayed once the issue has been remediated\n", "modified": "2021-03-11T06:00:58", "published": "2020-12-08T00:00:00", "id": "WPVDB-ID:E11265F5-39ED-4415-8376-4F092EF12003", "href": "https://wpscan.com/vulnerability/e11265f5-39ed-4415-8376-4f092ef12003", "type": "wpvulndb", "title": "WP Hotel Booking <= 1.10.3 - Unauthenticated PHP Object Injection", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}

CVE-2020-29047

Description

Affected Software

Related