Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Network-delivered reflected XSS with browser scope change; PR:N as no attacker authentication required, UI:R mandatory, C/I limited to browser-context data only.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The WP Hotel Booking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'check_in_date' and 'check_out_date' parameters in all versions up to, and including, 2.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
AnalysisAI
Reflected cross-site scripting in the WP Hotel Booking WordPress plugin (all versions up to and including 2.3.1) permits unauthenticated remote attackers to inject arbitrary JavaScript via the check_in_date and check_out_date URL parameters across multiple search result and Elementor widget templates. Successful exploitation requires tricking a victim into clicking a crafted link, after which the injected script executes in the victim's browser context - making logged-in administrators particularly high-value targets. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The WP Hotel Booking plugin version 2.3.1 or earlier must be installed and active on the target WordPress site, and the room search or listing feature must be publicly accessible (default configuration for hotel booking sites). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 6.1 (Medium) accurately reflects the attack profile: network-reachable and requiring no privileges (AV:N/PR:N) but mandating active user interaction (UI:R), which substantially limits opportunistic mass exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL pointing to an affected hotel site's room search results page, embedding a JavaScript payload in the check_in_date parameter (e.g., appending a script tag or event-handler injection), then distributes this URL to hotel website visitors or administrators via phishing email, booking confirmation reply, or social media. When a victim clicks the link and the search results page renders, the unsanitized parameter is reflected directly into the HTML, causing the injected script to execute in the victim's browser - enabling session cookie exfiltration, credential harvesting overlays, or silent form submission on behalf of the victim. … |
| Remediation | Upgrade the WP Hotel Booking plugin to version 2.3.2 or later; WordPress plugin repository references confirm that the affected template files (loop.php, loop-v2.php, list-results-room.php) were modified in the 2.3.2 tag at the same locations where the vulnerability was identified, though an explicit vendor changelog statement was not present in the provided input data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Wp Hotel Booking
View allThe WP Hotel Booking plugin for WordPress is vulnerable to SQL Injection via the 'room_type' parameter of the /wphb/v1/r
The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not esca
Missing authorization controls in the WP Hotel Booking WordPress plugin (all versions before 2.3.1) expose sensitive hos
The WP Hotel Booking WordPress plugin before 2.0.8 does not have proper authorisation when deleting a package, allowing
The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not ensu
The WP Hotel Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in
Missing Authorization vulnerability in ThimPress WP Hotel Booking.0.9.2. Rated medium severity (CVSS 6.5), this vulnerab
Payment bypass in WP Hotel Booking (WordPress plugin, all versions ≤2.3.1) allows unauthenticated attackers to mark arbi
The WP Hotel Booking plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,
The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check
The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42786
GHSA-8989-8rh8-rh5m