CVE-2020-29047
published 2021-03-03CVE-2020-29047: The wp-hotel-booking plugin through 1.10.2 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the…
PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
14.27%
96.1th percentile
The wp-hotel-booking plugin through 1.10.2 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the thimpress_hotel_booking_1 cookie in load in includes/class-wphb-sessions.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| thimpress | wp_hotel_booking | <= 1.10.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
cookiethimpress_hotel_booking_1=O:11:"WPHB_Logger":1:{s:21:"%00WPHB_Logger%00_handles"%3BC:33:"Requests_Utility_FilteredIterator":67:{x:i:0%3Ba:1:{i:0%3Bs:2:"-1"%3B}%3Bm:a:1:{s:11:"%00*%00callback"%3Bs:7:"phpinfo"%3B}}}↗
- →Send a GET request to the target WordPress site with the cookie 'thimpress_hotel_booking_1' set to a serialized PHP object payload (WPHB_Logger with Requests_Utility_FilteredIterator gadget chain). A vulnerable site will execute the injected PHP function (e.g., phpinfo) and return 'PHP Extension' in the response body alongside 'wp-hotel-booking'. ↗
- →Detection match: HTTP 200 response body containing both 'PHP Extension' and 'wp-hotel-booking' strings simultaneously indicates successful PHP object injection exploitation. ↗
- →The vulnerable deserialization occurs in the 'load' function within includes/class-wphb-sessions.php when processing the 'thimpress_hotel_booking_1' cookie value via PHP unserialize(). ↗
- →The exploit gadget chain uses PHP class WPHB_Logger (object) containing a Requests_Utility_FilteredIterator instance with a controlled callback — monitor for serialized 'O:11:"WPHB_Logger"' strings in HTTP Cookie headers. ↗
- ·The exploit is unauthenticated (no WordPress login required) — PR:N in CVSS. Any visitor can send the malicious cookie, so WAF/IDS rules should inspect Cookie headers on all requests, not just authenticated sessions. ↗
- ·The PoC payload uses 'phpinfo' as the injected callback for detection/PoC purposes only. Real-world exploitation would substitute an arbitrary PHP function or system command in the callback field. ↗
- ·Affected versions are wp-hotel-booking through 1.10.2; the fix is present in 1.10.3+. Ensure version fingerprinting targets ≤1.10.2 to avoid false positives on patched installs. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x3pf-797q-q9j6: The wp-hotel-booking plugin through 1
ghsa_unreviewed·2022-05-24
CVE-2020-29047 [CRITICAL] CWE-502 GHSA-x3pf-797q-q9j6: The wp-hotel-booking plugin through 1
The wp-hotel-booking plugin through 1.10.2 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the thimpress_hotel_booking_1 cookie in load in includes/class-wphb-sessions.php.
VulnCheck
thimpress wp_hotel_booking Deserialization of Untrusted Data
vulncheck·2020·CVSS 9.8
CVE-2020-29047 [CRITICAL] thimpress wp_hotel_booking Deserialization of Untrusted Data
thimpress wp_hotel_booking Deserialization of Untrusted Data
The wp-hotel-booking plugin through 1.10.2 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the thimpress_hotel_booking_1 cookie in load in includes/class-wphb-sessions.php.
Affected: thimpress wp_hotel_booking
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://go.catonetworks.com/rs/245-RJK-441/images/security%20Quarterly%20Report%20q2.pdf
No detection rules found.
Nuclei
WP Hotel Booking < 1.10.4 - PHP Object Injection
nuclei·CVSS 9.8
CVE-2020-29047 [CRITICAL] WP Hotel Booking < 1.10.4 - PHP Object Injection
WP Hotel Booking < 1.10.4 - PHP Object Injection
The wp-hotel-booking plugin through 1.10.2 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the thimpress_hotel_booking_1 cookie in load in includes/class-wphb-sessions.php.
Template:
id: CVE-2020-29047
info:
name: WP Hotel Booking < 1.10.4 - PHP Object Injection
author: DhiyaneshDk
severity: critical
description: |
The wp-hotel-booking plugin through 1.10.2 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the thimpress_hotel_booking_1 cookie in load in includes/class-wphb-sessions.php.
impact: |
Unauthenticated attackers can exploit PHP object injection to execute arbitrary code, leading to complete server compromise.
remediation:
No writeups or analysis indexed.
2021-03-03
Published
Exploited in the wild