CVE-2024-7855 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) found in the WP Hotel Booking plugin for WordPress, developed by thimpress. The flaw exists in the update_review() function, which fails to validate the type of files uploaded by authenticated users. This lack of validation allows attackers with subscriber-level privileges or higher to upload arbitrary files to the server hosting the WordPress site. Since WordPress plugins often run with web server privileges, such arbitrary file uploads can be leveraged to execute remote code, potentially leading to full server compromise. The vulnerability affects all versions up to and including 2.1.2 of the plugin. The CVSS 3.1 base score is 8.8, reflecting a high severity due to network attack vector (no physical access needed), low attack complexity, and privileges required at the subscriber level. No user interaction is required beyond authentication. The vulnerability impacts confidentiality, integrity, and availability by enabling attackers to execute malicious code, steal data, or disrupt services. Although no known exploits are currently reported in the wild, the ease of exploitation and the widespread use of WordPress and this plugin make it a significant threat. The vulnerability was publicly disclosed on October 2, 2024, and no official patches have been linked yet, increasing the urgency for mitigation.

The impact of CVE-2024-7855 is substantial for organizations using the WP Hotel Booking plugin. An attacker with minimal privileges (subscriber-level) can upload arbitrary files, potentially leading to remote code execution. This can result in full server compromise, data breaches, defacement of websites, or use of the server as a pivot point for further attacks within the network. For businesses in the hospitality and tourism sectors relying on this plugin, the risk includes loss of customer data, disruption of booking services, and reputational damage. The vulnerability also threatens the confidentiality of sensitive customer information and the integrity of the website content. Since WordPress powers a significant portion of the web, and this plugin is popular among hotel and booking sites, the scope of affected systems is broad. The ease of exploitation and the lack of required user interaction increase the likelihood of attacks once exploit code becomes available. Organizations without proper access controls or monitoring are particularly vulnerable.

Organizations should immediately audit their WordPress installations to identify the presence of the WP Hotel Booking plugin and its version. Until an official patch is released, administrators should restrict subscriber-level users from uploading files or disable the update_review() functionality if possible. Implementing web application firewall (WAF) rules to detect and block suspicious file uploads targeting this plugin can provide temporary protection. Monitoring file upload directories for unauthorized or unusual files can help detect exploitation attempts. Additionally, enforcing the principle of least privilege by limiting user roles and permissions reduces the attack surface. Regular backups and incident response plans should be updated to prepare for potential exploitation. Once a patch is available, prompt application is critical. Organizations should also consider isolating WordPress environments and using security plugins that enforce strict file upload validation.