CVE-2023-5652
published 2023-11-20CVE-2023-5652: The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not escape user input before using it in a SQL…
PriorityP279critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
63.71%
99.1th percentile
The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not escape user input before using it in a SQL statement of a function hooked to admin_init, allowing unauthenticated users to perform SQL injections
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| thimpress | wp_hotel_booking | < 2.0.8 | 2.0.8 |
Detection & IOCsextracted from sources · hover to see the quote
sigma
title: WP Hotel Booking SQLi CVE-2023-5652
id: <UNKNOWN>
description: Detects unauthenticated SQL injection attempts against WP Hotel Booking plugin via admin_init hook
references:
- https://nvd.nist.gov/vuln/detail/CVE-2023-5652
detection:
selection:
- 'regex("^0$", body)'
- 'status_code == 400'
- 'contains(content_type, "text/html")'
condition: and- →The vulnerability is triggered via a function hooked to admin_init, meaning unauthenticated HTTP requests to wp-admin/admin-post.php or similar admin_init-triggering endpoints should be monitored for SQL injection payloads. ↗
- →No authentication or CSRF token is required to exploit this vulnerability; monitor for unauthenticated POST/GET requests to admin_init-hooked endpoints from the WP Hotel Booking plugin. ↗
- →Nuclei template detection logic uses a regex match for body value '0', HTTP status 400, and content-type text/html as combined indicators of a successful probe response.
- ·The Nuclei template digest can be used to verify template integrity and identify the specific exploit template in use.
- ·Only WP Hotel Booking plugin versions before 2.0.8 are affected; patched at 2.0.8. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WP Hotel Booking <= 2.0.7 - SQL Injection
nuclei·CVSS 9.8
CVE-2023-5652 [CRITICAL] WP Hotel Booking <= 2.0.7 - SQL Injection
WP Hotel Booking =8'
- 'regex("^0$", body)'
- 'status_code == 400'
- 'contains(content_type, "text/html")'
condition: and
# digest: 4a0a004730450221008879f4e43047983c8c70f5daf1d83ae88616331e8cfcc10fad23cbeb2aa071a5022055a1e3fd28df5c67af461f6cc18040a6f61ce09694cb1ca1173aeed4fdbfd0f4:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2023-11-20
Published