CVE-2023-5991
📋 TL;DR
This vulnerability in the Hotel Booking Lite WordPress plugin allows unauthenticated attackers to download and delete arbitrary files on the server due to missing path validation, CSRF protection, and authorization checks. Any WordPress site running the vulnerable plugin version is affected, potentially leading to complete system compromise.
💻 Affected Systems
- Hotel Booking Lite WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server takeover via arbitrary file deletion/download, including sensitive system files, configuration files, and database credentials, leading to data breach and service disruption.
Likely Case
Unauthenticated attackers download WordPress configuration files containing database credentials, then use those credentials to compromise the database and escalate privileges.
If Mitigated
With proper web application firewalls and file permission restrictions, impact is limited to non-critical files within the web root directory.
🎯 Exploit Status
Exploitation requires only HTTP requests with crafted parameters. No authentication or special privileges needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.8.5
Vendor Advisory: https://wpscan.com/vulnerability/e9d35e36-1e60-4483-b8b3-5cbf08fcd49e
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Hotel Booking Lite plugin. 4. Click 'Update Now' if update available. 5. If no update shows, manually download version 4.8.5+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable endpoints via .htaccess
linuxBlock access to the vulnerable plugin endpoints that handle file operations
# Add to .htaccess in WordPress root directory
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^wp-content/plugins/hotel-booking-lite/.*\.php$ - [F,L]
</IfModule>
Temporarily disable plugin
allDeactivate the Hotel Booking Lite plugin until patched
wp plugin deactivate hotel-booking-lite
🧯 If You Can't Patch
- Implement strict web application firewall rules to block requests containing file path traversal patterns (../, ..\, etc.)
- Restrict file permissions on sensitive directories and implement principle of least privilege for web server user
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Hotel Booking Lite for version number. If version is below 4.8.5, system is vulnerable.Check Version:
wp plugin get hotel-booking-lite --field=versionVerify Fix Applied:
Verify plugin version is 4.8.5 or higher in WordPress admin panel. Test with controlled exploit attempt (if safe to do so in test environment).📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /wp-content/plugins/hotel-booking-lite/ with file path parameters containing ../ patterns
- Multiple 200 OK responses to plugin endpoints from unauthenticated users
- File deletion or download operations in web server logs
Network Indicators:
- Unusual outbound file transfers from web server
- HTTP requests with path traversal sequences in parameters
SIEM Query:
source="web_server_logs" AND (uri="/wp-content/plugins/hotel-booking-lite/*" AND (param="*../*" OR param="*..\\*"))