CVE-2025-63001
Lifecycle Timeline
2Description
Missing Authorization vulnerability in nicdark Hotel Booking nd-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hotel Booking: from n/a through <= 3.8.
Analysis
Missing authorization controls in nicdark Hotel Booking WordPress plugin versions 3.8 and earlier allow unauthenticated attackers to bypass access restrictions through incorrectly configured security levels, potentially exposing sensitive booking and administrative functionality. The vulnerability has low exploitation probability (EPSS 0.04%) and no public exploit code has been identified, making it a lower-priority issue despite the high-impact CWE classification.
Technical Context
This vulnerability stems from CWE-862 (Missing Authorization), a fundamental access control flaw in which the application fails to properly verify that users have the necessary permissions before allowing access to sensitive operations. In the context of the nicdark Hotel Booking plugin, a WordPress plugin that manages hotel reservations and guest data, the broken access control affects the plugin's authentication and authorization mechanisms. Specifically, security levels governing which roles (admin, manager, customer, guest) can access booking records, administrative panels, or configuration settings are not properly enforced. This allows an attacker with limited or no credentials to perform actions restricted to higher-privileged users by directly accessing endpoints or parameters without proper authorization checks. The CPE for the affected product is wp:nd-booking:<=3.8.
Affected Products
nicdark Hotel Booking WordPress plugin versions 3.8 and earlier are affected. The plugin is available via WordPress.org and is commonly used for hotel reservation management on WordPress sites. No specific version ranges or CPE variants are provided beyond the upper bound of version 3.8.
Remediation
Upgrade nicdark Hotel Booking to the latest patched version beyond 3.8 as released by the vendor. Visit the official plugin advisory at https://patchstack.com/database/Wordpress/Plugin/nd-booking/vulnerability/wordpress-hotel-booking-plugin-3-8-broken-access-control-vulnerability to confirm the patched version number and download the update. The update should be applied immediately through the WordPress plugin management interface (Plugins > Installed Plugins > Update). No workarounds are provided; patching is the primary remediation path. Additionally, implement server-level access controls and Web Application Firewall (WAF) rules to restrict unauthorized access to booking endpoints while patches are being deployed.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today