Plattform
wordpress
Komponente
gdlr-hotel
Behoben in
3.1.5
CVE-2025-39504 describes a critical SQL Injection vulnerability discovered in GoodLayers Hotel, a WordPress plugin. This flaw allows attackers to potentially extract sensitive data through blind SQL injection techniques. The vulnerability impacts versions from 0.0.0 up to and including 3.1.4. A patch is available in version 3.1.5.
The SQL Injection vulnerability in GoodLayers Hotel poses a significant risk to WordPress websites using the plugin. An attacker could exploit this flaw to bypass authentication and gain unauthorized access to the database. This could lead to the exfiltration of sensitive user data, including usernames, passwords, email addresses, and potentially financial information if the plugin interacts with e-commerce functionality. The blind nature of the injection means the attacker doesn't receive direct feedback from the database, requiring more sophisticated techniques to extract data, but the potential impact remains severe. Successful exploitation could also allow for modification or deletion of data, leading to website defacement or complete data loss.
CVE-2025-39504 was publicly disclosed on 2025-05-23. The vulnerability's severity is high due to the potential for data exfiltration and unauthorized access. No public proof-of-concept (PoC) code has been released at the time of writing, but the nature of blind SQL injection makes it likely that one will emerge. It is not currently listed on the CISA KEV catalog.
Websites using GoodLayers Hotel plugin, particularly those with sensitive user data or e-commerce functionality, are at risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially expose data from others.
• wordpress / composer / npm:
grep -r "gdlr-hotel" /var/www/html/wp-content/plugins/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/gdlr-hotel/ | grep SQL• wordpress / composer / npm:
wp plugin list | grep gdlr-hoteldisclosure
Exploit-Status
EPSS
0.23% (46% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-39504 is to immediately upgrade GoodLayers Hotel to version 3.1.5 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. As a short-term workaround, implement a Web Application Firewall (WAF) with rules to filter potentially malicious SQL injection attempts targeting the vulnerable endpoints. Monitor WordPress access logs for suspicious SQL queries, particularly those involving special characters or unusual patterns. While a direct detection signature is difficult to create for blind SQL injection, monitoring for unusual database activity can provide early warning signs.
Actualice el plugin GoodLayers Hotel a la última versión disponible para mitigar la vulnerabilidad de inyección SQL ciega. Verifique la fuente oficial del plugin en wordpress.org para obtener la actualización más reciente y siga las instrucciones de instalación proporcionadas por el desarrollador. Implemente medidas de seguridad adicionales, como la validación y el saneamiento de las entradas del usuario, para prevenir futuras vulnerabilidades.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-39504 is a critical SQL Injection vulnerability affecting GoodLayers Hotel WordPress plugin versions 0.0.0–3.1.4, allowing attackers to potentially extract sensitive data.
If you are using GoodLayers Hotel version 0.0.0 through 3.1.4 on your WordPress site, you are potentially affected by this vulnerability.
Upgrade GoodLayers Hotel to version 3.1.5 or later to remediate the SQL Injection vulnerability. If immediate upgrade is not possible, disable the plugin or implement a WAF.
While no active exploitation has been confirmed, the vulnerability's severity and the nature of blind SQL injection suggest it is likely to be targeted.
Refer to the GoodLayers Hotel website and WordPress plugin repository for the latest security advisories and updates related to CVE-2025-39504.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.