A critical vulnerability has been identified in the Hotel Booking Lite WordPress plugin, which allows a remote, unauthenticated attacker to inject and execute arbitrary code. Successful exploitation of this vulnerability could lead to a complete compromise of the affected website and the underlying server, enabling data theft, service disruption, and further network intrusion.

The vulnerability is an Improper Control of Generation of Code, commonly known as Code Injection. Specifically, it allows for Remote Code Inclusion within the Hotel Booking Lite plugin. An unauthenticated remote attacker can send a specially crafted web request to the vulnerable application, causing it to include and execute malicious code from a remote server controlled by the attacker. This is likely due to insufficient sanitization of user-supplied input that is later used in a file inclusion function.

This vulnerability is rated as critical severity with a CVSS score of 9.1. A successful exploit would grant an attacker full control over the web application and potentially the host server. The business impact could be severe, including the theft of sensitive customer data (e.g., personal information, booking details), financial loss from fraudulent activities, and significant reputational damage. An attacker could also deface the website, install ransomware, or use the compromised server as a launch point for further attacks against the internal network.

Immediate Action: Update the Hotel Booking Lite plugin to the latest version provided by the vendor (a version later than 5.2.3). After patching, review system and access logs for any signs of compromise that may have occurred before the update was applied.

Proactive Monitoring: Actively monitor web server access logs for unusual requests targeting the Hotel Booking Lite plugin, particularly requests containing URLs or file paths in parameters. Monitor network traffic for unexpected outbound connections from the web server. Implement file integrity monitoring to detect unauthorized changes to website files.

Compensating Controls: If patching is not immediately possible, implement a Web Application Firewall (WAF) with rules designed to block remote file inclusion and code injection attack patterns. Restrict the web server's ability to make outbound network connections to only essential, trusted destinations. If the plugin's functionality is not critical, consider disabling it until it can be safely patched.

Public Exploit Available: false

Due to the critical severity (CVSS 9.1) of this vulnerability, immediate action is required. Organizations using the affected Hotel Booking Lite plugin must prioritize applying the vendor-supplied patch to all vulnerable instances. Although this vulnerability is not currently listed on the CISA KEV catalog, its high impact means it should be treated with the utmost urgency to prevent a potential system compromise.