CVE-2023-5991: 
WordPress vulnerability analysis and mitigation

The Hotel Booking Lite WordPress plugin before version 4.8.5 contains a critical security vulnerability (CVE-2023-5991) that was disclosed on December 1, 2023. The vulnerability affects both the Hotel Booking Lite and Hotel Booking plugins, allowing unauthenticated users to download and delete arbitrary files on the server due to improper file path validation and lack of proper CSRF and authorization checks (WPScan Advisory).

The vulnerability stems from the plugin's failure to validate file paths provided via user input, combined with missing CSRF and authorization checks. It has been assigned a CVSS v3.1 base score of 9.8 (Critical) and is classified as a Path Traversal vulnerability (CWE-22). The vulnerability allows attackers to exploit the mphb_action=download parameter to access files outside the intended directory structure (WPScan Advisory, NVD).

The vulnerability allows unauthenticated attackers to download and delete arbitrary files from the affected server. This could lead to exposure of sensitive information, such as configuration files, and potential system compromise through deletion of critical files (WPScan Advisory).

The vulnerability has been patched in version 4.8.5 of both the Hotel Booking Lite and Hotel Booking plugins. Users are strongly advised to update to this version or later to protect their installations (WPScan Advisory).