CVE-2024-3605
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress sites using the WP Hotel Booking plugin. By manipulating the 'room_type' parameter in the REST API endpoint, attackers can extract sensitive database information. All WordPress sites with WP Hotel Booking plugin versions 2.1.0 or earlier are affected.
💻 Affected Systems
- WP Hotel Booking WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including extraction of user credentials, payment information, and administrative access leading to site takeover.
Likely Case
Extraction of sensitive data including user information, booking details, and potentially administrative credentials.
If Mitigated
Limited information disclosure if database permissions are properly restricted and sensitive data is encrypted.
🎯 Exploit Status
Simple SQL injection via REST API endpoint with no authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.1 or later
Vendor Advisory: https://wordpress.org/plugins/wp-hotel-booking/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP Hotel Booking plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 2.1.1+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable REST API Endpoint
allTemporarily disable the vulnerable REST API endpoint until patching is possible.
Add to theme's functions.php or custom plugin: add_filter('rest_endpoints', function($endpoints){ unset($endpoints['/wphb/v1/rooms/search-rooms']); return $endpoints; });
Web Application Firewall Rule
allBlock malicious requests to the vulnerable endpoint using WAF.
WAF rule to block: POST /wp-json/wphb/v1/rooms/search-rooms with suspicious SQL patterns in room_type parameter
🧯 If You Can't Patch
- Disable the WP Hotel Booking plugin completely until patched
- Implement strict network filtering to block external access to /wp-json/wphb/v1/rooms/search-rooms endpoint
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin panel under Plugins > Installed Plugins. If WP Hotel Booking version is 2.1.0 or earlier, system is vulnerable.Check Version:
wp plugin list --name='WP Hotel Booking' --field=version (if WP-CLI installed) or check WordPress admin panelVerify Fix Applied:
Verify plugin version is 2.1.1 or later in WordPress admin panel. Test REST API endpoint with SQL injection payloads to confirm they are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-json/wphb/v1/rooms/search-rooms
- SQL error messages in WordPress debug logs
- Multiple failed SQL query attempts
Network Indicators:
- POST requests to vulnerable endpoint with SQL keywords in parameters
- Unusual database query patterns from web server
SIEM Query:
source="web_server_logs" AND uri_path="/wp-json/wphb/v1/rooms/search-rooms" AND (request_body CONTAINS "UNION" OR request_body CONTAINS "SELECT" OR request_body CONTAINS "INSERT" OR request_body CONTAINS "DELETE")🔗 References
- https://wordpress.org/plugins/wp-hotel-booking/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5931ad4e-7de3-41ac-b783-f7e58aaef569?source=cve
- https://wordpress.org/plugins/wp-hotel-booking/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5931ad4e-7de3-41ac-b783-f7e58aaef569?source=cve
