cbcvebase.
CVE-2020-29047
published 2021-03-03

CVE-2020-29047: The wp-hotel-booking plugin through 1.10.2 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the…

PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
14.27%
96.1th percentile
The wp-hotel-booking plugin through 1.10.2 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the thimpress_hotel_booking_1 cookie in load in includes/class-wphb-sessions.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
thimpresswp_hotel_booking<= 1.10.2

Detection & IOCsextracted from sources · hover to see the quote

cookiethimpress_hotel_booking_1=O:11:"WPHB_Logger":1:{s:21:"%00WPHB_Logger%00_handles"%3BC:33:"Requests_Utility_FilteredIterator":67:{x:i:0%3Ba:1:{i:0%3Bs:2:"-1"%3B}%3Bm:a:1:{s:11:"%00*%00callback"%3Bs:7:"phpinfo"%3B}}}
pathincludes/class-wphb-sessions.php
  • Send a GET request to the target WordPress site with the cookie 'thimpress_hotel_booking_1' set to a serialized PHP object payload (WPHB_Logger with Requests_Utility_FilteredIterator gadget chain). A vulnerable site will execute the injected PHP function (e.g., phpinfo) and return 'PHP Extension' in the response body alongside 'wp-hotel-booking'.
  • Detection match: HTTP 200 response body containing both 'PHP Extension' and 'wp-hotel-booking' strings simultaneously indicates successful PHP object injection exploitation.
  • The vulnerable deserialization occurs in the 'load' function within includes/class-wphb-sessions.php when processing the 'thimpress_hotel_booking_1' cookie value via PHP unserialize().
  • The exploit gadget chain uses PHP class WPHB_Logger (object) containing a Requests_Utility_FilteredIterator instance with a controlled callback — monitor for serialized 'O:11:"WPHB_Logger"' strings in HTTP Cookie headers.
  • ·The exploit is unauthenticated (no WordPress login required) — PR:N in CVSS. Any visitor can send the malicious cookie, so WAF/IDS rules should inspect Cookie headers on all requests, not just authenticated sessions.
  • ·The PoC payload uses 'phpinfo' as the injected callback for detection/PoC purposes only. Real-world exploitation would substitute an arbitrary PHP function or system command in the callback field.
  • ·Affected versions are wp-hotel-booking through 1.10.2; the fix is present in 1.10.3+. Ensure version fingerprinting targets ≤1.10.2 to avoid false positives on patched installs.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.