How to fix CVE-2025-62916?

Within 24 hours: Identify all WordPress installations running adiaha-hotel plugin ≤3.1 and disable or remove the plugin from production. Within 7 days: Audit access logs for unauthorized activity by low-privileged users in the plugin's administrative functions; review all booking records and customer data for tampering. Contact the plugin vendor for patch availability and timeline. Within 30 days: Once a patched version is released, update to the latest version, re-enable the plugin, and verify access controls through user role testing.

Is PHP affected by CVE-2025-62916?

The WP Flights & Hotels Booking plugin (adiaha-hotel) versions 3.1 and earlier contains a broken access control vulnerability that allows low-privileged authenticated users to bypass authorization controls and access sensitive functionality, potentially compromising booking data, customer…

CVE-2025-62916

HIGH

2025-10-27 [email protected]

WordPress PHP Authentication Bypass

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 01, 2026 - 15:22 vuln.today

CVE Published

Oct 27, 2025 - 02:15 nvd

HIGH 8.8

DescriptionNVD

Missing Authorization vulnerability in Travon WP Flights & Hotels Booking WP Plugin adiaha-hotel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flights & Hotels Booking WP Plugin: from n/a through <= 3.1.

AnalysisAI

Broken access control in WP Flights & Hotels Booking WP Plugin (adiaha-hotel) versions ≤3.1 allows authenticated users with low privileges to bypass authorization checks and gain unauthorized access to high-impact functionality. Attackers can achieve complete compromise of confidentiality, integrity, and availability within the plugin's scope. EPSS score of 0.05% (15th percentile) indicates low observed exploitation probability, and no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.

Technical ContextAI

This vulnerability stems from CWE-862 (Missing Authorization), a common server-side access control flaw where an application fails to verify that a requesting user has permission to perform sensitive actions. The affected component is the WP Flights & Hotels Booking WP Plugin (adiaha-hotel) for WordPress, which likely exposes administrative or privileged functions without proper capability checks against WordPress user roles. The plugin appears to incorrectly implement or entirely omit authorization logic on endpoints that should be restricted to administrators. Because WordPress by default assigns various privilege levels (subscriber, contributor, author, editor, administrator), a missing authorization check means any authenticated user-even one with minimal privileges like a subscriber role-can invoke restricted operations. The CVSS vector AC:L confirms that exploitation requires minimal technical skill once an attacker has low-privilege credentials, and PR:L confirms that authentication as a low-privilege user is sufficient.

Affected ProductsAI

The vulnerability impacts WP Flights & Hotels Booking WP Plugin, also known by the slug 'adiaha-hotel', across all versions from earliest release through version 3.1 inclusive. This is a WordPress plugin developed by vendor Travon, used for managing flight and hotel booking functionality within WordPress sites. The vulnerable component processes requests from authenticated WordPress users without verifying their authorization level. No CPE identifier was provided in available data sources. Organizations can determine exposure by checking installed plugin versions via WordPress admin dashboard under Plugins or by reviewing wp-content/plugins/adiaha-hotel directory. Patchstack advisory available at https://patchstack.com/database/Wordpress/Plugin/adiaha-hotel/vulnerability/wordpress-flights-hotels-booking-wp-plugin-plugin-3-1-broken-access-control-vulnerability provides additional vendor-specific context.

RemediationAI

No vendor-released patch identified at time of analysis for versions beyond 3.1. Organizations should immediately check the WordPress plugin repository or contact vendor Travon directly to determine if a patched version has been released subsequent to this advisory. Until an official patch is available, implement the following compensating controls: restrict WordPress user registration to prevent untrusted users from obtaining authenticated access; audit existing user accounts and remove or demote low-privilege users who do not require access; implement web application firewall (WAF) rules to monitor and block suspicious requests to plugin endpoints; consider temporarily disabling the adiaha-hotel plugin if booking functionality is not business-critical; review WordPress access logs for evidence of unauthorized actions by low-privilege accounts. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/adiaha-hotel/vulnerability/wordpress-flights-hotels-booking-wp-plugin-plugin-3-1-broken-access-control-vulnerability for vendor updates and additional mitigation guidance. After applying any future patch, verify that authorization checks are enforced by testing plugin functionality with different WordPress user roles.

CVE-2025-62916 vulnerability details – vuln.today

Back

CVE-2025-62916

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code