Login Sign Up

CVE-2024-51582

7.5 HIGH
Path Traversal

📋 TL;DR

This path traversal vulnerability in the ThimPress WP Hotel Booking WordPress plugin allows attackers to include local PHP files using '.../...//' sequences. It affects all WordPress sites running WP Hotel Booking versions up to 2.1.4, potentially leading to sensitive information disclosure or remote code execution.

💻 Affected Systems

Products:
  • ThimPress WP Hotel Booking WordPress Plugin
Versions: All versions up to and including 2.1.4
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all WordPress installations with the vulnerable plugin version installed and activated.

📦 What is this software?

Wp Hotel Booking by Thimpress

View all CVEs affecting Wp Hotel Booking →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data exfiltration, and website defacement.

🟠

Likely Case

Sensitive file disclosure including configuration files, database credentials, and user data.

🟢

If Mitigated

Limited impact with proper file permissions and web server restrictions preventing PHP execution in sensitive directories.

🌐 Internet-Facing: HIGH - WordPress plugins are typically internet-facing and this vulnerability requires no authentication.
🏢 Internal Only: MEDIUM - Internal WordPress instances could still be targeted via phishing or compromised internal accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple path traversal payloads can be used to include local PHP files. Public exploit details are available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.5 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/wp-hotel-booking/wordpress-wp-hotel-booking-plugin-2-1-4-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WP Hotel Booking and click 'Update Now'. 4. Verify version is 2.1.5 or higher.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the WP Hotel Booking plugin until patched

wp plugin deactivate wp-hotel-booking

Web Application Firewall Rule

all

Block requests containing path traversal sequences

Add WAF rule to block patterns like '.../...//' and '../' sequences

🧯 If You Can't Patch

  • Implement strict file permissions (644 for files, 755 for directories) to limit readable files
  • Use web server configuration to restrict PHP execution in sensitive directories

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins for WP Hotel Booking version

Check Version:

wp plugin get wp-hotel-booking --field=version

Verify Fix Applied:

Verify plugin version is 2.1.5 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests containing '.../...//' sequences
  • Access to unexpected PHP files via plugin endpoints

Network Indicators:

  • Unusual file inclusion patterns in HTTP requests to /wp-content/plugins/wp-hotel-booking/

SIEM Query:

web.url:*wp-hotel-booking* AND (web.url:*.../...//* OR web.url:*../*)

📊 Metadata

CVE ID: CVE-2024-51582
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-35
Published: November 4, 2024
Last Updated: November 6, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-51582, you might also want to check these:

CVE-2025-30515 9.8

CVE-2025-30515 is a path traversal vulnerability in CyberData 011209 Intercom systems that allows au...

Same vulnerability type (CWE-35)
CVE-2025-39467 9.8

This CVE describes a path traversal vulnerability in the Mikado-Themes Wanderland WordPress theme th...

Same vulnerability type (CWE-35)
CVE-2025-41723 9.8

CVE-2025-41723 is a critical directory traversal vulnerability in the importFile SOAP method that al...

Same vulnerability type (CWE-35)