Description
The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not escape user input before using it in a SQL statement of a function hooked to admin_init, allowing unauthenticated users to perform SQL injections
Affected products
- Unknown / WP Hotel Booking0 – 2.0.8
Exploits & PoCs
- nucleiWP Hotel Booking <= 2.0.7 - SQL Injectionby Shivam Kamboj,s4e-io