14 DAY TRIAL // A cross-site scripting (XSS) vulnerability has been identified in the RoomCloud hotel booking plugin for WordPress, allowing an attacker to find travel information about customers.
The plugin facilitates integration of the RoomCloud booking form into a WordPress website for lodging and hospitality service, to allow clients to make online reservations.
Travel information could be easily exposed
Security researcher Nitin Venkatesh found the bug and reported it to the developers in a responsible manner. He says that the flaw stems from improperly sanitized parameters.
As per his disclosure on Saturday, an attacker could exploit the glitch in order to find out details about someone’s reservation status at a hotel. This would include the stay duration and the number of accompanying persons, adults and children.
Venkatesh also published the proof-of-concept code that demonstrates the flaw. Administrators of hotel websites are advised to update the plugin to the latest version released by the developer.
The vulnerability was reported by the researcher on March 19, both to the developer and to the WordPress team, who pulled it from the download list three days later.
Developer addresses the issue
RoomCloud addressed the issue on March 21 and the plugin was available again on WordPress.org. The public disclosure date was initially set for May 5, but the researcher revealed the details only on Saturday, probably to give admins more time to patch.
The flaw was discovered in version 1.1, build 1115307, and has been patched in build 1117499 of the same main version.
According to statistics from WordPress.org, the component has over 20 active installations, which is a low number, but the potential number of users impacted by a security flaw in the plugin could be significant.
On the other hand, the RoomCloud team boasts integration with well-known online travel and leisure retailers such as LastMinute, HolidayLettings, Hotel.de, Hoteliers.com, Expedia or Agoda.