CVE-2020-29047

CRITICAL EXPLOITED NUCLEI

Thimpress WP Hotel Booking < 1.10.2 - Insecure Deserialization

Title source: rule

Description

The wp-hotel-booking plugin through 1.10.2 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the thimpress_hotel_booking_1 cookie in load in includes/class-wphb-sessions.php.

Nuclei Templates (1)

WP Hotel Booking < 1.10.4 - PHP Object Injection

CRITICALVERIFIEDby DhiyaneshDk

FOFA: body="wp-content/plugins/wp-hotel-booking"

References (2)

[Exploit, Third Party Advisory] https://appcheck-ng.com/cve-2020-29047/

[Product, Third Party Advisory] https://wordpress.org/plugins/wp-hotel-booking/#developers

Scores

CVSS v3 9.8

EPSS 0.8462

EPSS Percentile 99.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation Intel

VulnCheck KEV 2021-08-17

Classification

CWE

CWE-502

Status published

Affected Products (1)

thimpress/wp_hotel_booking < 1.10.2

Timeline

Published Mar 03, 2021

Tracked Since Feb 18, 2026