CVE-2023-5991
published 2023-12-26CVE-2023-5991: The Hotel Booking Lite WordPress plugin before 4.8.5 does not validate file paths provided via user input, as well as does not have proper CSRF and…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.31%
87.0th percentile
The Hotel Booking Lite WordPress plugin before 4.8.5 does not validate file paths provided via user input, as well as does not have proper CSRF and authorisation checks, allowing unauthenticated users to download and delete arbitrary files on the server
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| motopress | hotel_booking_lite | < 4.8.5 | 4.8.5 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for GET requests containing both 'filename=' parameter with path traversal sequences (../../) and 'mphb_action=download' query parameter — this is the unauthenticated exploit trigger for arbitrary file download. ↗
- →HTTP response headers containing 'filename=' and '/etc/passwd' indicate successful exploitation and file exfiltration. ↗
- →Presence of the plugin path '/wp-content/plugins/motopress-hotel-booking' in HTTP response body can be used to fingerprint vulnerable WordPress installations via Shodan, FOFA, or PublicWWW. ↗
- →No authentication or CSRF token is required; exploitation is fully unauthenticated via a single GET request — monitor for anomalous unauthenticated access to the mphb_action=download endpoint. ↗
- ·The vulnerability affects Hotel Booking Lite versions strictly before 4.8.5; version 4.8.5 and later are patched. Ensure plugin version is confirmed before acting on detections. ↗
- ·Both file download AND file deletion are possible via this unauthenticated path traversal, meaning exploitation may leave no file artifact behind if the attacker deletes evidence. ↗
- ·EPSS score of 0.75076 (98.875th percentile) indicates very high probability of active exploitation in the wild; treat detections as high priority. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Hotel Booking Lite < 4.8.5 - Arbitrary File Download & Deletion
nuclei·CVSS 9.8
CVE-2023-5991 [CRITICAL] Hotel Booking Lite < 4.8.5 - Arbitrary File Download & Deletion
Hotel Booking Lite < 4.8.5 - Arbitrary File Download & Deletion
The Hotel Booking Lite WordPress plugin before 4.8.5 does not validate file paths provided via user input, as well as does not have proper CSRF and authorisation checks, allowing unauthenticated users to download and delete arbitrary files on the server
Template:
id: CVE-2023-5991
info:
name: Hotel Booking Lite < 4.8.5 - Arbitrary File Download & Deletion
author: s4e-io
severity: critical
description: |
The Hotel Booking Lite WordPress plugin before 4.8.5 does not validate file paths provided via user input, as well as does not have proper CSRF and authorisation checks, allowing unauthenticated users to download and delete arbitrary files on the server
impact: |
Unauthenticated attackers can exploit missing validation and
2023-12-26
Published