8,000 WordPress Sites affected by Arbitrary File Upload Vulnerability in WP Hotel Booking WordPress Plugin


📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugins and themes at no cost to vendors? Through October 7th, 2024, XSS vulnerabilities in all plugins and themes with >=1,000 Active Installs are in scope for all researchers. In addition, through October 14th, 2024, researchers can earn up to $31,200, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest.


On August 3rd, 2024, we received a submission for an Arbitrary File Upload vulnerability in WP Hotel Booking, a WordPress plugin with more than 8,000 active installations. This vulnerability can be used by authenticated attackers, with subscriber-level access and above, to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover.

Props to Truoc Phan who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $488.00 for this discovery. Our mission is to Secure the Web, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure, which ultimately makes the entire web more secure.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on August 15, 2024. Sites using the free version of Wordfence received the same protection 30 days later on September 14, 2024.

We contacted the ThimPress team via their contact form on August 15, 2024, but we didn’t get a response. After receiving no response, we tried reaching out to them via email on September 10, 2024, and received a response on the same day. After providing full disclosure details, the developer released the patch on September 26, 2024. We would like to commend the ThimPress team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of WP Hotel Booking, version 2.1.3 at the time of this publication, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

Description: WP Hotel Booking <= 2.1.2 – Authenticated (Subscriber+) Arbitrary File Upload
Affected Plugin: WP Hotel Booking
Plugin Slug: wp-hotel-booking
Affected Versions: <= 2.1.2
CVE ID: CVE-2024-7855
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Truoc Phan
Fully Patched Version: 2.1.3
Bounty Award: $488.00

The WP Hotel Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_review() function in all versions up to, and including, 2.1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible.

Technical Analysis

WP Hotel Booking is a WordPress plugin, which includes many features, such as room, booking, customer and report management, as well as reviews, coupons, and much more.

Examining the code reveals that the plugin uses the update_review() function in the WPHB_Comments class to add a review and upload images to it.

The function uploads Base64-encoded images, and its operation is contained in the following code snippet:

$images = $params['base64_images'] ?? '';

if ( ! empty( $images ) ) {
    $upload_dir  = wp_upload_dir();
    $upload_path = str_replace( '/', DIRECTORY_SEPARATOR, $upload_dir['path'] ) . DIRECTORY_SEPARATOR;

    $attachment_ids = array();

    foreach ( $images as $image ) {
        $img             = preg_replace( '/^data:image\/[a-z]+;base64,/', '', $image['base64'] );
        $img             = str_replace( ' ', '+', $img );
        $decoded         = base64_decode( $img );
        $filename        = $image['name'];
        $file_type       = $image['type'];
        $hashed_filename = md5( $filename . microtime() ) . '_' . $filename;

        $upload_file = file_put_contents( $upload_path . $hashed_filename, $decoded );

It decodes the Base64 data and uploads the file to the WordPress uploads directory with the filename specified in the ‘name’ parameter using the file_put_contents() function.

Unfortunately, the function does not include any file type or extension checks in the vulnerable version. This means that not only image files can be uploaded, but it is also possible to upload files with a .php extension. The file is uploaded to the WordPress uploads folder, which is publicly accessible by default. This makes it possible for attackers, with authenticated access such as subscribers, to upload arbitrary malicious PHP code and then access the file to trigger remote code execution on the server.

As with all arbitrary file upload vulnerabilities, this can lead to complete site compromise through the use of webshells and other techniques.

Disclosure Timeline

August 3, 2024 – We received the submission for the Arbitrary File Upload vulnerability in WP Hotel Booking via the Wordfence Bug Bounty Program.
August 15, 2024 – We validated the report and confirmed the proof-of-concept exploit.
August 15, 2024Wordfence Premium, Care, and Response users received a firewall rule to provide protection against any exploits that may target this vulnerability.
August 15, 2024 – We initiated contact via the vendor contact form, asking that they confirm the inbox for handling the discussion.
September 10, 2024 – After not receiving a response, we followed up by sending an email to the vendor.
September 10, 2024 – The vendor confirmed the inbox for handling the discussion.
September 11, 2024 – We sent over the full disclosure details to the vendor. The vendor acknowledged the report and began working on a fix.
September 14, 2024 – Wordfence free users received the same protection.
September 26, 2024 – The fully patched version of the plugin, 2.1.3, was released.

Conclusion

In this blog post, we detailed an Arbitrary File Upload vulnerability within the WP Hotel Booking plugin affecting versions 2.1.2 and earlier. This vulnerability allows authenticated threat actors with subscriber-level permissions or higher to execute malicious code on the server. The vulnerability has been addressed in version 2.1.3 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of WP Hotel Booking as soon as possible considering the critical nature of this vulnerability.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on August 15, 2024. Sites using the free version of Wordfence received the same protection 30 days later on September 14, 2024.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

Did you enjoy this post? Share it!

Comments

No Comments

All comments are moderated before being published. Inappropriate or off-topic comments may not be approved.