Login Sign Up

CVE-2024-53800

8.1 HIGH

📋 TL;DR

This vulnerability allows attackers to include local files on the server through PHP's include/require statements, potentially leading to sensitive information disclosure or code execution. It affects all Rezgo Online Booking WordPress plugin installations from unknown versions through 4.15. Website administrators using this plugin should patch immediately.

💻 Affected Systems

Products:
  • Rezgo Online Booking WordPress Plugin
Versions: n/a through 4.15
Operating Systems: Any OS running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Requires PHP environment and WordPress installation with Rezgo plugin active.

📦 What is this software?

Rezgo Online Booking by Rezgo

View all CVEs affecting Rezgo Online Booking →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data theft, and website defacement.

🟠

Likely Case

Local file inclusion allowing reading of sensitive files like configuration files, logs, or source code.

🟢

If Mitigated

Limited file access within web root directory if proper file permissions are configured.

🌐 Internet-Facing: HIGH - WordPress plugins are typically internet-facing and accessible to any visitor.
🏢 Internal Only: LOW - This is primarily an internet-facing web application vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires understanding of PHP file inclusion vulnerabilities and WordPress plugin structure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.16 or later

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/rezgo/vulnerability/wordpress-rezgo-online-booking-plugin-4-15-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Rezgo Online Booking plugin. 4. Click 'Update Now' if update available. 5. If no update available, manually download version 4.16+ from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Disable Plugin

WordPress

Temporarily disable the Rezgo plugin until patching is possible.

wp plugin deactivate rezgo

Restrict File Access

all

Configure web server to restrict access to sensitive directories and files.

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block file inclusion patterns
  • Restrict PHP execution in upload directories and disable dangerous PHP functions

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Rezgo Online Booking version. If version is 4.15 or earlier, you are vulnerable.

Check Version:

wp plugin get rezgo --field=version

Verify Fix Applied:

Verify plugin version is 4.16 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file paths in PHP include/require statements
  • Multiple requests to plugin files with file path parameters
  • Access to sensitive files like /etc/passwd or wp-config.php

Network Indicators:

  • HTTP requests containing file path traversal patterns to Rezgo plugin endpoints

SIEM Query:

web.url:*rezgo* AND (web.param:*../* OR web.param:*file=*)

📊 Metadata

CVE ID: CVE-2024-53800
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-98
EPSS Score: 0.82% exploit probability (73.9th percentile)
Published: January 7, 2025
Last Updated: September 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-53800, you might also want to check these:

CVE-2025-25174 10.0

This CVE describes a PHP Local File Inclusion vulnerability in the BeeTeam368 Extensions WordPress p...

Same vulnerability type (CWE-98)
CVE-2025-49994 9.8

This vulnerability allows attackers to include local files on the server through improper filename c...

Same vulnerability type (CWE-98)
CVE-2025-50003 9.8

This vulnerability allows attackers to include local PHP files through improper filename control in ...

Same vulnerability type (CWE-98)