CVE-2024-12370 – The WP Hotel Booking plugin for WordPress has a... (How to Fix)

Q: What is the severity of CVE-2024-12370?

CVE-2024-12370 has a CVSS score of 5.3 (MEDIUM). The WP Hotel Booking plugin for WordPress has an authorization bypass vulnerability that allows unauthenticated attackers to add rooms with custom prices. This affects all WordPress sites using the plugin up to version 2.1.5. Attackers can manipulate booking systems without requiring any authentication.

📋 TL;DR

The WP Hotel Booking plugin for WordPress has an authorization bypass vulnerability that allows unauthenticated attackers to add rooms with custom prices. This affects all WordPress sites using the plugin up to version 2.1.5. Attackers can manipulate booking systems without requiring any authentication.

💻 Affected Systems

Products:

WP Hotel Booking WordPress Plugin

Versions: All versions up to and including 2.1.5

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with the WP Hotel Booking plugin installed and activated.

📦 What is this software?

Wp Hotel Booking by Thimpress

View all CVEs affecting Wp Hotel Booking →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could flood the system with fake rooms, manipulate pricing to cause financial loss, or disrupt legitimate hotel booking operations.

🟠

Likely Case

Attackers add rooms with incorrect pricing to cause confusion, test payment systems, or create fake inventory.

🟢

If Mitigated

With proper monitoring and rate limiting, impact is limited to minor data integrity issues that can be rolled back.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires no authentication and minimal technical skill to exploit via HTTP requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.6

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3210798%40wp-hotel-booking%2Ftags%2F2.1.5&new=3214765%40wp-hotel-booking%2Ftags%2F2.1.6

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP Hotel Booking and click 'Update Now'. 4. Verify version shows 2.1.6 or higher.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the WP Hotel Booking plugin until patched

wp plugin deactivate wp-hotel-booking

Web Application Firewall Rule

all

Block unauthorized POST requests to room creation endpoints

# WAF rule to block POST requests to /wp-admin/admin-ajax.php with 'action' parameter containing 'hb_add_room'

🧯 If You Can't Patch

Implement strict rate limiting on admin-ajax.php endpoints
Add additional authentication layer for room management functions

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for WP Hotel Booking version

Check Version:

wp plugin list --name=wp-hotel-booking --field=version

Verify Fix Applied:

Verify plugin version is 2.1.6 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to /wp-admin/admin-ajax.php with 'action=hb_add_room' from unauthenticated users
Unexpected room creation events in plugin logs

Network Indicators:

HTTP POST requests to admin-ajax.php with room creation parameters from external IPs

SIEM Query:

source="web_access_logs" AND uri="/wp-admin/admin-ajax.php" AND method="POST" AND (form_data LIKE "%hb_add_room%" OR query_string LIKE "%hb_add_room%") AND user_agent NOT LIKE "%WordPress%"

📊 Metadata

CVE ID: CVE-2024-12370

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-284

EPSS Score: 0.24% exploit probability (46.7th percentile)

Published: January 17, 2025

Last Updated: February 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12370, you might also want to check these: