CVE-2024-2441
📋 TL;DR
The VikBooking WordPress plugin before version 1.6.8 contains an authorization bypass vulnerability that allows authenticated users with subscriber-level privileges or higher to access administrative settings they shouldn't have permission to view. This affects WordPress sites running vulnerable versions of the VikBooking Hotel Booking Engine & PMS plugin.
💻 Affected Systems
- VikBooking Hotel Booking Engine & PMS WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with subscriber access could modify booking settings, pricing, availability, or other hotel management configurations, potentially disrupting operations or enabling financial fraud.
Likely Case
Malicious subscribers or compromised accounts could view sensitive booking data, customer information, or modify limited settings within the plugin's scope.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized viewing of some administrative interfaces without critical data exposure.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an attacker has subscriber credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.8
Vendor Advisory: https://wpscan.com/vulnerability/9647e273-5724-4a02-868d-9b79f4bb2b79/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find VikBooking Hotel Booking Engine & PMS. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 1.6.8+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Temporarily disable plugin
linuxDisable the VikBooking plugin until patched, but this will break booking functionality.
wp plugin deactivate vikbooking
Restrict user roles
allTemporarily remove subscriber roles or limit user registration.
🧯 If You Can't Patch
- Implement strict access controls and monitor user activity for unauthorized access attempts to VikBooking settings.
- Use web application firewall rules to block suspicious requests to VikBooking admin endpoints.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for VikBooking version. If version is below 1.6.8, system is vulnerable.Check Version:
wp plugin get vikbooking --field=versionVerify Fix Applied:
Confirm VikBooking plugin version is 1.6.8 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual access to /wp-admin/admin.php?page=vikbooking or similar VikBooking admin endpoints by non-admin users
- Multiple failed authorization attempts followed by successful access to restricted settings
Network Indicators:
- HTTP requests to VikBooking admin interfaces from user roles that shouldn't have access
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-admin/admin.php" AND query_string="*page=vikbooking*") AND user_role!="administrator"