Skip to main content

MotoPress Hotel Booking CVE-2026-8684

| EUVDEUVD-2026-31417 MEDIUM
Missing Authorization (CWE-862)
2026-05-22 Wordfence GHSA-x7jf-v64x-878j
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 22, 2026 - 09:33 vuln.today

DescriptionCVE.org

The MotoPress Hotel Booking plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite or delete the internal notes (_mphb_booking_internal_notes) of any booking by supplying an arbitrary booking ID. The nonce for this action is output in the HTML source of every public page through wp_localize_script (MPHB._data.nonces), so any unauthenticated visitor can obtain a valid nonce and perform the action without any account or prior interaction.

AnalysisAI

Authorization bypass in MotoPress Hotel Booking plugin for WordPress (all versions through 6.0.1) allows unauthenticated remote attackers to overwrite or delete internal booking notes for any reservation by supplying an arbitrary booking ID. The root cause is a nonce that is unconditionally output into every public page's HTML via wp_localize_script under MPHB._data.nonces, meaning any site visitor - without an account or any prior interaction - can obtain a valid nonce and invoke the update-booking-notes AJAX action against any booking. No public exploit code has been identified at time of analysis, but the trivially accessible nonce makes this effectively zero-friction to abuse.

Technical ContextAI

The vulnerability resides in the plugin's AJAX API layer, specifically in the update-booking-notes action (includes/ajax-api/ajax-actions/update-booking-notes.php) and its base class (abstract-ajax-api-action.php), orchestrated by ajax-api-handler.php. CWE-862 (Missing Authorization) describes the root cause: the handler validates nonce integrity but never checks whether the requesting user is authorized to modify the target booking. WordPress nonces are meant to prevent CSRF but not to gatekeep authorization - yet here the nonce (exposed globally via wp_localize_script) is the only gate. The affected meta field _mphb_booking_internal_notes stores operator-facing notes on hotel reservations. CPE cpe:2.3:a:jetmonsters:motopress_hotel_booking:*:*:*:*:*:*:*:* covers all versions through 6.0.1 of the JetMonsters-published plugin. Code is auditable at the WordPress plugin trac browser for both 5.4.1 and 6.0.1 tags.

RemediationAI

An upstream fix has been committed to the plugin trunk as WordPress trac changeset 3537354, modifying update-booking-notes.php to enforce authorization checks. However, the exact released plugin version containing this fix is not independently confirmed from available data - site administrators should check the WordPress plugin repository for a version newer than 6.0.1 and update immediately upon availability. As a compensating control until a patched release is confirmed, administrators can restrict access to WordPress AJAX endpoints (wp-admin/admin-ajax.php) for unauthenticated users via WAF rules or server-level controls, accepting that this may break other public AJAX functionality. Alternatively, operators can deactivate the plugin's note-editing feature if not operationally required. Monitoring wp-admin/admin-ajax.php POST requests for the update-booking-notes action from unauthenticated sessions can serve as a detection measure.

Share

CVE-2026-8684 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy