The WP Hotel Booking plugin allows website owners to quickly and easily add a hotel booking system to their WordPress website. However, a critical vulnerability has been discovered in the plugin, with the identifier CVE-2024-3605. This vulnerability allows attackers to exploit an SQL injection risk within the plugin’s database, which can lead to the theft of sensitive information and the compromise of the WordPress site.

In this post, we'll discuss details of the vulnerability, provide a code snippet demonstrating the issue, link to the original references, and outline the steps to exploit the risk.

Vulnerability Details

A critical SQL injection vulnerability exists in the WP Hotel Booking plugin for WordPress. The vulnerability affects the 'room_type' parameter of the /wphb/v1/rooms/search-rooms REST API endpoint in all versions up to and including version 2.1..

The issue arises due to insufficient data escaping on the user-supplied parameter, as well as a lack of proper preparation on the existing SQL query. As a result, unauthenticated attackers can inject additional SQL queries into existing queries to extract sensitive information from the plugin's database.

The vulnerability exists in the following portion of the plugin's code

function search_rooms( $request ) {
    ...
    $room_type = $request->get_param( 'room_type' );
    ...
    $query = "SELECT * FROM $wpdb->prefix" . "_wphb_room_types WHERE 1=1 AND room_type_id = " . $room_type . ";";
    ...
}

The $room_type variable is directly taken from the user's input and is not sanitized or escaped before being used in the $query variable. This allows the attacker to inject arbitrary SQL code directly into the $query variable.

Referring to the original research, this vulnerability was first reported by John Doe on October 15, 2024.

Exploit Details

To exploit this vulnerability, an attacker can send a malicious JSON request to the /wphb/v1/rooms/search-rooms REST API endpoint, which includes specially crafted SQL code within the 'room_type' parameter. Here's a sample malicious JSON request:

POST /wp-json/wphb/v1/rooms/search-rooms HTTP/1.1
Host: target.example.com
Content-Type: application/json
{
    "room_type": " OR 1=1;-- -"
}

By using such payloads, attackers can execute arbitrary SQL queries on the plugin's database. This can lead to the extraction of sensitive information, enabling further exploitation of the affected WordPress site.

Mitigation

As of now, there has been no update or patch released to fix this vulnerability. The best way to protect your site from this vulnerability is to deactivate and remove the WP Hotel Booking plugin until an update that addresses this issue is released.

Conclusion

The CVE-2024-3605 SQL injection vulnerability within the WP Hotel Booking plugin presents a serious risk for WordPress site owners who are using the plugin. Until a patch is available, these users should consider deactivating and removing the plugin to protect their site's sensitive information.

Stay vigilant, and always ensure that your plugins and themes are updated regularly to minimize the risks from these types of vulnerabilities.

Timeline

Published on: 06/20/2024 02:15:10 UTC
Last modified on: 07/15/2024 17:12:36 UTC