Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wpexploitWpvulndbWPEX-ID:E11265F5-39ED-4415-8376-4F092EF12003
HistoryDec 08, 2020 - 12:00 a.m.

WP Hotel Booking <= 1.10.3 - Unauthenticated PHP Object Injection

2020-12-0800:00:00
wpvulndb
133
JSON

The plugin unserialised the value in the thimpress_hotel_booking_1 cookie without sanitisation, which could lead to an unauthenticated PHP Object Injection. If the plugin is installed on WP < 5.5.2, then there is a suitable gadget chain to obtain RCE, otherwise, another gadget chain will have to be used (ie from another installed plugin for instance). The fix attempted in 1.10.3 (ie sanitising the cookie value through sanitize_text_field() does nothing against PHP Object Injection and the plugin is still vulnerable, despite the original advisory stating that the issue has been fixed. This has been escalated to the WordPress plugin team on March 4th, 2021.

The PoC will be displayed once the issue has been remediated

Related

checkpoint_advisories 1
prion 1
wpvulndb 1
patchstack 1
cve 1
checkpoint_advisories
checkpoint_advisories
WordPress Hotel Booking Plugin Remote Code Execution (CVE-2020-29047)
2021-05-02 00:00:00
prion
prion
Design/Logic Flaw
2021-03-03 18:15:00
wpvulndb
wpvulndb
WP Hotel Booking <= 1.10.3 - Unauthenticated PHP Object Injection
2020-12-08 00:00:00
patchstack
patchstack
WordPress WP Hotel Booking plugin <= 1.10.2 - Unauthenticated Remote Code Execution (RCE) via Arbitrary Object Deserialisation vulnerability
2021-03-03 00:00:00
cve
cve
CVE-2020-29047
2021-03-03 18:15:00
JSON
Related for WPEX-ID:E11265F5-39ED-4415-8376-4F092EF12003
checkpoint_advisories1prion1wpvulndb1patchstack1cve1