This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: A critical SQL Injection (SQLi) flaw in WP Hotel Booking. <br>π **Consequences**: Attackers can steal, modify, or delete database content.β¦
π’ **Affected Product**: WordPress Plugin: **WP Hotel Booking**. <br>π¦ **Version**: Versions **before 2.0.8**. <br>β οΈ **Note**: If you are running 2.0.8 or later, you are safe.
Q4What can hackers do? (Privileges/Data)
π» **Attacker Capabilities**: <br>β’ Execute arbitrary SQL commands. <br>β’ Access sensitive user data (credentials, emails). <br>β’ Modify site content. <br>β’ Potentially take over the database.β¦
π **Threshold**: **Extremely Low**. <br>π **Auth**: None required. <br>βοΈ **Config**: Default installation is vulnerable. <br>π― **Ease**: Any internet user can trigger the exploit via the `admin_init` hook.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π **Public Exploit**: **YES**. <br>π **PoC Available**: Proof of Concept exists in Nuclei templates (ProjectDiscovery).β¦
π **Self-Check**: <br>1. Check your WordPress Dashboard for **WP Hotel Booking**. <br>2. Verify the version number. <br>3. If it is < 2.0.8, you are vulnerable.β¦
β **Official Fix**: **YES**. <br>π **Patch**: Update **WP Hotel Booking** to version **2.0.8** or higher. <br>π’ **Source**: Vendor (WP Hotel Booking) released the fix. Check WPScan for official advisory.
Q9What if no patch? (Workaround)
π§ **No Patch Workaround**: <br>1. **Disable Plugin**: Deactivate WP Hotel Booking immediately if you can't update. <br>2. **WAF Rules**: Block requests targeting `admin_init` with suspicious SQL payloads. <br>3.β¦