Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
The MotoPress Hotel Booking plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite or delete the internal notes (_mphb_booking_internal_notes) of any booking by supplying an arbitrary booking ID. The nonce for this action is output in the HTML source of every public page through wp_localize_script (MPHB._data.nonces), so any unauthenticated visitor can obtain a valid nonce and perform the action without any account or prior interaction.
AnalysisAI
Authorization bypass in MotoPress Hotel Booking plugin for WordPress (all versions through 6.0.1) allows unauthenticated remote attackers to overwrite or delete internal booking notes for any reservation by supplying an arbitrary booking ID. The root cause is a nonce that is unconditionally output into every public page's HTML via wp_localize_script under MPHB._data.nonces, meaning any site visitor - without an account or any prior interaction - can obtain a valid nonce and invoke the update-booking-notes AJAX action against any booking. No public exploit code has been identified at time of analysis, but the trivially accessible nonce makes this effectively zero-friction to abuse.
Technical ContextAI
The vulnerability resides in the plugin's AJAX API layer, specifically in the update-booking-notes action (includes/ajax-api/ajax-actions/update-booking-notes.php) and its base class (abstract-ajax-api-action.php), orchestrated by ajax-api-handler.php. CWE-862 (Missing Authorization) describes the root cause: the handler validates nonce integrity but never checks whether the requesting user is authorized to modify the target booking. WordPress nonces are meant to prevent CSRF but not to gatekeep authorization - yet here the nonce (exposed globally via wp_localize_script) is the only gate. The affected meta field _mphb_booking_internal_notes stores operator-facing notes on hotel reservations. CPE cpe:2.3:a:jetmonsters:motopress_hotel_booking:*:*:*:*:*:*:*:* covers all versions through 6.0.1 of the JetMonsters-published plugin. Code is auditable at the WordPress plugin trac browser for both 5.4.1 and 6.0.1 tags.
RemediationAI
An upstream fix has been committed to the plugin trunk as WordPress trac changeset 3537354, modifying update-booking-notes.php to enforce authorization checks. However, the exact released plugin version containing this fix is not independently confirmed from available data - site administrators should check the WordPress plugin repository for a version newer than 6.0.1 and update immediately upon availability. As a compensating control until a patched release is confirmed, administrators can restrict access to WordPress AJAX endpoints (wp-admin/admin-ajax.php) for unauthenticated users via WAF rules or server-level controls, accepting that this may break other public AJAX functionality. Alternatively, operators can deactivate the plugin's note-editing feature if not operationally required. Monitoring wp-admin/admin-ajax.php POST requests for the update-booking-notes action from unauthenticated sessions can serve as a detection measure.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31417
GHSA-x7jf-v64x-878j