Impact
The vulnerability is an improper control of the filename used in a PHP include or require statement within the nicdark Hotel Booking plugin. It permits a local file to be included based on user input. This can expose configuration files, source code, and any readable file on the server. If the included file contains executable PHP code, an attacker may be able to run that code.
Affected Systems
WordPress sites that use the nicdark Hotel Booking (nd-booking) plugin with version 3.6 or earlier are affected. Sites that have not upgraded to a later version are exposed.
Risk and Exploitability
The CVSS score of 8.1 indicates high severity. The EPSS score of <1% points to a low likelihood of exploitation, and the vulnerability is not listed in CISA's KEV catalog. Based on the description, it is inferred that an attacker could trigger the inclusion by sending a crafted request to a URL parameter that supplies the include path. The attack could be performed by an unauthenticated user if the vulnerable endpoint is publicly accessible. Successful exploitation would grant the attacker read access to arbitrary local files and could allow execution of any PHP code included.
OpenCVE Enrichment
EUVD