A severe security flaw has been identified in the WP Hotel Booking WordPress plugin, which is used on more than 8,000 websites. This vulnerability permits users with basic privileges to upload files to the server without proper restrictions. The issue stems from insufficient file type validation during uploads.
This weakness potentially allows malicious actors to introduce harmful code to the affected websites. An attacker could gain extensive control over the compromised site if successfully exploited, potentially leading to unauthorised access to sensitive data or further system infiltration.
The nature of this vulnerability is particularly concerning because it can be exploited by users with minimal account permissions, such as those typically given to new or basic-level users. This significantly broadens the pool of potential attackers and increases the risk to affected websites.
The vulnerability stems from the absence of file type or extension validation in WP Hotel Booking versions up to and including 2.1.2. While the function is intended to handle Base64-encoded images for user reviews, it advertently accepts any file format, including dangerous scripts, due to a lack of proper security checks.

By exploiting this flaw, attackers could upload a malicious PHP file, which could be executed by visiting its URL, triggering remote code execution. This would give attackers control over the entire site, potentially allowing them to install web shells, deface the site, or steal sensitive data.
The fully patched version of WP Hotel Booking, 2.1.3, has been released. Researchers have urged individuals and organisations to update the plugin promptly.
In August 2024, the JS Help Desk plugin also suffered from an RCE flaw. The plugin was installed on over 5,000 websites, and the company released a patch to fix the flaw.
On July 1, four WordPress plugins were hit by a supply chain attack. Last month, an Arbitrary Options Update Flaw was reported to have affected over 40,000 Login/Signup Popup plugin installations.
In the News: PyPi repository infected with crypto-stealing malware