This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: A critical Remote Code Execution (RCE) flaw in the **wp-hotel-booking** plugin for WordPress.β¦
π¦ **Affected**: WordPress sites using the **wp-hotel-booking** plugin. <br>π **Versions**: Specifically versions **through 1.10.2**. Any version β€ 1.10.2 is vulnerable.
Q4What can hackers do? (Privileges/Data)
π **Capabilities**: Hackers gain **Remote Code Execution (RCE)** privileges. <br>π **Data Impact**: They can access, modify, or delete any data on the server, install backdoors, or pivot to other internal systems.
Q5Is exploitation threshold high? (Auth/Config)
β‘ **Threshold**: **LOW**. <br>π **Auth**: No authentication required. The vulnerability is triggered via a cookie, meaning it is **Remote** and **Unauthenticated**. Anyone can exploit it.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π **Exploit Status**: **YES**. <br>π **PoC**: Public Proof-of-Concept available via **Nuclei templates** (ProjectDiscovery). Wild exploitation is likely given the ease of use.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: <br>1. Scan for the **wp-hotel-booking** plugin. <br>2. Check version number (β€ 1.10.2). <br>3.β¦
π§ **Workaround**: If patching is delayed: <br>1. **Disable/Deactivate** the wp-hotel-booking plugin immediately. <br>2. Implement WAF rules to block suspicious serialized data in cookies. <br>3.β¦
π₯ **Priority**: **CRITICAL / URGENT**. <br>β±οΈ **Reason**: Unauthenticated RCE is a top-tier threat. Since PoCs are public, automated bots are likely scanning for this. Patch immediately to prevent server takeover.