CVE-2024-3605 is a critical SQL Injection vulnerability identified in the WP Hotel Booking plugin for WordPress, specifically in versions up to and including 2.1.0. The vulnerability exists due to improper neutralization of special elements in the 'room_type' parameter of the /wphb/v1/rooms/search-rooms REST API endpoint. The plugin fails to properly escape or prepare the SQL query that incorporates this user-supplied parameter, allowing attackers to append arbitrary SQL commands. This flaw can be exploited by unauthenticated remote attackers without any user interaction, making it highly accessible. Successful exploitation can lead to unauthorized disclosure of sensitive information, modification or deletion of database records, and potentially full compromise of the affected WordPress site. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), a common and dangerous injection flaw. The CVSS v3.1 base score is 10.0, reflecting its critical nature with network attack vector, no required privileges, no user interaction, and complete impact on confidentiality, integrity, and availability. While no public exploits are currently known, the vulnerability's characteristics make it a prime target for attackers. The plugin is widely used by hospitality and tourism websites built on WordPress, increasing the potential attack surface. No official patches or updates were linked at the time of disclosure, emphasizing the need for immediate mitigation.

The impact of CVE-2024-3605 is severe for organizations using the WP Hotel Booking plugin. Exploitation can lead to complete compromise of the backend database, exposing sensitive customer data such as personal information, booking details, and payment information. Attackers could alter or delete booking records, disrupt hotel operations, or leverage the compromised site as a foothold for further attacks within the hosting environment. The vulnerability's unauthenticated and remote nature means attackers can exploit it at scale, potentially affecting thousands of websites globally. This can result in significant reputational damage, regulatory penalties (especially under data protection laws like GDPR), and financial losses. Additionally, the ability to execute arbitrary SQL commands could allow attackers to escalate privileges or deploy malware, further endangering organizational assets. The hospitality sector, which relies heavily on online booking systems, is particularly vulnerable, and downtime or data breaches could directly impact revenue and customer trust.

Organizations should immediately audit their WordPress sites to identify installations of the WP Hotel Booking plugin, especially versions up to 2.1.0. Since no official patch links were provided at disclosure, administrators should monitor the vendor’s official channels for updates or patches and apply them as soon as they become available. In the interim, consider disabling or restricting access to the vulnerable REST API endpoint (/wphb/v1/rooms/search-rooms) using web application firewalls (WAFs) or server-level access controls to block suspicious or malformed requests targeting the 'room_type' parameter. Employ input validation and sanitization at the application or proxy level if possible. Regularly back up databases and website files to enable recovery in case of compromise. Conduct thorough security assessments and monitor logs for unusual SQL query patterns or access attempts. Additionally, consider isolating the WordPress environment and limiting database user privileges to minimize potential damage. Finally, educate development and security teams about secure coding practices to prevent similar injection flaws in custom plugins or themes.