CVE-2023-5652
CRITICAL NUCLEIWP Hotel Booking < 2.0.8 - Unauthenticated SQL Injection via admin_init Hook
Title source: llmExploitation Summary
CVE-2023-5652 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not escape user input before using it in a SQL statement of a function hooked to admin_init, allowing unauthenticated users to perform SQL injections
Nuclei Templates (1)
WP Hotel Booking <= 2.0.7 - SQL Injection
CRITICALVERIFIEDby Shivam Kamboj,s4e-io
References (1)
Core 1
Core References
Exploit, Third Party Advisory exploit
vdb-entry
technical-description
https://wpscan.com/vulnerability/8ea46b9a-5239-476b-949d-49546371eac1
Scores
CVSS v3
9.8
EPSS
0.6371
EPSS Percentile
99.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (1)
thimpress/wp_hotel_booking
< 2.0.8
Published
Nov 20, 2023
Tracked Since
Feb 18, 2026