CVE-2023-5651

CWE-732 — Incorrect Permission Assignment CWE-862 — Missing Authorization CWE-352 — Cross-Site Request Forgery (CSRF)3 documents3 sources

Severity

5.4MEDIUM

EPSS

0.0%

top 87.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown WP Hotel Booking Thimpress WP Hotel Booking

Timeline

PublishedNov 20

Description

The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not ensure that the package to be deleted is a package, allowing any authenticated users, such as subscriber to delete arbitrary posts

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:LExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

▶CVEListV5unknown/wp_hotel_booking< 2.0.8

▶NVDthimpress/wp_hotel_booking< 2.0.8

🔴Vulnerability Details

CVEList

WP Hotel Booking < 2.0.8 - Subscriber+ Arbitrary Post Deletion↗2023-11-20

▶

GHSA

GHSA-f9vh-fjmh-q969: The WP Hotel Booking WordPress plugin before 2↗2023-11-20

▶