CVE-2024-51582 is a path traversal vulnerability identified in the ThimPress WP Hotel Booking plugin for WordPress, affecting all versions up to and including 2.2.9. The vulnerability arises from improper sanitization of file path inputs, specifically allowing the use of the sequence '.../...//' which bypasses normal directory traversal protections. This flaw enables attackers to perform PHP Local File Inclusion (LFI), where they can trick the application into including arbitrary files from the server's filesystem. Such inclusion can disclose sensitive information like configuration files, password files, or other data stored on the server. While no public exploits have been reported, the vulnerability is publicly known and could be weaponized by attackers targeting WordPress sites using this plugin. The vulnerability does not require authentication, increasing the risk of exploitation by unauthenticated remote attackers. The plugin is commonly used by hospitality and tourism websites to manage hotel bookings, making these sectors particularly vulnerable. The lack of an official patch at the time of disclosure means that affected sites remain exposed until updates or mitigations are applied.

The primary impact of this vulnerability is unauthorized disclosure of sensitive server files, which can lead to leakage of credentials, configuration details, or other critical information. This can facilitate further attacks such as privilege escalation, remote code execution, or complete site compromise. For organizations relying on WP Hotel Booking, especially those in the hospitality and tourism sectors, this could result in data breaches affecting customer information and business operations. The vulnerability affects the confidentiality and potentially the integrity and availability of the affected systems. Given the ease of exploitation without authentication and the widespread use of WordPress globally, the threat poses a significant risk to organizations running vulnerable versions of the plugin. Exploitation could also damage organizational reputation and lead to regulatory compliance issues if customer data is exposed.

Organizations should immediately verify if they are running WP Hotel Booking versions up to 2.2.9 and plan to upgrade to a patched version once available. Until a patch is released, administrators should consider disabling the plugin or restricting access to the plugin’s files and endpoints via web server configuration (e.g., using .htaccess rules to block suspicious path traversal patterns). Implementing Web Application Firewall (WAF) rules to detect and block requests containing '.../...//' sequences or other directory traversal attempts can provide temporary protection. Regularly auditing server logs for unusual file inclusion attempts and monitoring for signs of compromise is critical. Additionally, limiting file permissions and ensuring the web server runs with least privilege can reduce the impact of successful exploitation. Organizations should also maintain regular backups and have incident response plans ready in case of exploitation.