CVE-2023-5799
WP Hotel Booking <= 2.0.8 - Insufficient Authorization to Unauthorized Post Deletion
mediumIncorrect Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
2.0.9
Patched in
89d
Time to patch
Description
The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to insufficient authorization checks on the tp_extra_package_remove() function hooked via AJAX in all versions up to, and including, 2.0.7. This makes it possible for authenticated attackers, with contributor-level access and above, to delete arbitrary posts. While the patch for CVE-2023-5651 ensured subscriber-level users couldn't delete arbitrary posts, the checks were not sufficient in preventing higher authenticated users such as contributors from deleting arbitrary posts.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NAttack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability
Technical Details
Affected versions
<=2.0.8PublishedOctober 26, 2023
Last updatedJanuary 22, 2024
Affected pluginwp-hotel-booking
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.