CVE-2023-5799
WP Hotel Booking < 2.0.9 - Contributor+ Arbitrary Post Deletion
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The WP Hotel Booking WordPress plugin before 2.0.8 does not have proper authorisation when deleting a package, allowing Contributor and above roles to delete posts that do no belong to them
El complemento WP Hotel Booking de WordPress anterior a 2.0.8 no tiene la autorizaciĆ³n adecuada al eliminar un paquete, lo que permite que los roles Colaborador y superiores eliminen publicaciones que no les pertenecen.
The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to insufficient authorization checks on the tp_extra_package_remove() function hooked via AJAX in all versions up to, and including, 2.0.7. This makes it possible for authenticated attackers, with contributor-level access and above, to delete arbitrary posts. While the patch for CVE-2023-5651 ensured subscriber-level users couldn't delete arbitrary posts, the checks were not sufficient in preventing higher authenticated users such as contributors from deleting arbitrary posts.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-10-26 CVE Reserved
- 2023-10-26 CVE Published
- 2024-08-02 CVE Updated
- 2024-08-02 First Exploit
- 2024-10-20 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-863: Incorrect Authorization
CAPEC
References (1)
URL | Tag | Source |
---|
URL | Date | SRC |
---|---|---|
https://wpscan.com/vulnerability/3061f85e-a70e-49e5-bccf-ae9240f51178 | 2024-08-02 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Thimpress Search vendor "Thimpress" | Wp Hotel Booking Search vendor "Thimpress" for product "Wp Hotel Booking" | < 2.0.8 Search vendor "Thimpress" for product "Wp Hotel Booking" and version " < 2.0.8" | wordpress |
Affected
|