CVE-2023-5652 – CVE-2023-5652 is a critical SQL injection vulne... (How to Fix)

Q: What is the severity of CVE-2023-5652?

CVE-2023-5652 has a CVSS score of 9.8 (CRITICAL). CVE-2023-5652 is a critical SQL injection vulnerability in the WP Hotel Booking WordPress plugin. Unauthenticated attackers can exploit missing authorization and input sanitization to execute arbitrary SQL commands. All WordPress sites using vulnerable versions of this plugin are affected.

📋 TL;DR

CVE-2023-5652 is a critical SQL injection vulnerability in the WP Hotel Booking WordPress plugin. Unauthenticated attackers can exploit missing authorization and input sanitization to execute arbitrary SQL commands. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

WP Hotel Booking WordPress Plugin

Versions: All versions before 2.0.8

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires plugin to be installed and activated. No special configuration needed for exploitation.

📦 What is this software?

Wp Hotel Booking by Thimpress

View all CVEs affecting Wp Hotel Booking →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, remote code execution, and full site takeover.

🟠

Likely Case

Database extraction of sensitive information including user credentials, payment data, and administrative access.

🟢

If Mitigated

Limited impact with proper WAF rules, database permissions, and network segmentation in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward due to missing authentication checks and simple SQL injection vector.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.8

Vendor Advisory: https://wpscan.com/vulnerability/8ea46b9a-5239-476b-949d-49546371eac1

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WP Hotel Booking plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.0.8+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the vulnerable plugin until patched

wp plugin deactivate wp-hotel-booking

WAF Rule Implementation

all

Block SQL injection attempts targeting admin_init hooks

🧯 If You Can't Patch

Implement strict network access controls to limit plugin exposure
Enable database query logging and monitoring for suspicious SQL patterns

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins → Installed Plugins

Check Version:

wp plugin get wp-hotel-booking --field=version

Verify Fix Applied:

Confirm WP Hotel Booking plugin version is 2.0.8 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed admin_init requests from single IP
POST requests to wp-admin with SQL patterns

Network Indicators:

HTTP requests containing SQL injection payloads targeting admin endpoints
Unusual traffic patterns to /wp-admin/admin-post.php

SIEM Query:

source="web_logs" AND (uri_path="/wp-admin/admin-post.php" OR uri_path="/wp-admin/admin-ajax.php") AND (http_method="POST") AND (user_agent CONTAINS "sqlmap" OR request_body MATCHES "(?i)(union|select|insert|update|delete|drop|exec)")

📊 Metadata

CVE ID: CVE-2023-5652

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: November 20, 2023

Last Updated: November 21, 2024

🔗 References

https://wpscan.com/vulnerability/8ea46b9a-5239-476b-949d-49546371eac1 Exploit,Third Party Advisory
https://wpscan.com/vulnerability/8ea46b9a-5239-476b-949d-49546371eac1 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-5652, you might also want to check these: