Skip to main content

WP Hotel Booking CVE-2026-9822

| EUVDEUVD-2026-37994 MEDIUM
2026-06-19 WPScan GHSA-mcv8-q72x-f535
6.5
CVSS 3.1 · Vendor: WPScan
Share

Severity by source

Vendor (WPScan) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

PR:L required since a Subscriber-level account is mandatory; C:H reflects cross-user booking PII and coupon enumeration; no integrity or availability impact applies.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jun 22, 2026 - 19:10 vuln.today
CVSS changed
Jun 22, 2026 - 18:23 NVD
6.5 (MEDIUM)
Patch available
Jun 19, 2026 - 08:46 EUVD
CVE Published
Jun 19, 2026 - 06:00 cve.org
MEDIUM 6.5
CVE Published
Jun 19, 2026 - 06:00 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The WP Hotel Booking WordPress plugin before 2.3.1 does not enforce capability checks in several of its AJAX handlers, allowing authenticated users with Subscriber-level access to read other users' booking line items, enumerate active coupons, and read pricing data.

AnalysisAI

Missing authorization controls in the WP Hotel Booking WordPress plugin (all versions before 2.3.1) expose sensitive hospitality business data to any authenticated Subscriber-level user. Affected AJAX handlers lack WordPress capability checks, enabling low-privilege users to read other guests' booking line items, enumerate active coupon codes, and access internal pricing data across the entire site. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain Subscriber account on target site
Delivery
Authenticate to WordPress session
Exploit
Craft POST requests to wp-admin/admin-ajax.php targeting unprotected handlers
Execution
Enumerate booking line items and guest data
Persist
Extract active coupon codes
Impact
Exploit coupons or exfiltrate PII

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated WordPress session at Subscriber privilege level or higher on the specific target site - the lowest default role assigned to any registered user. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, score 6.5) is internally consistent with the vulnerability description: network-reachable, low complexity, requires only a low-privilege account, no user interaction, and yields high confidentiality impact with no integrity or availability dimension. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free Subscriber account on a hotel's WordPress site running an unpatched WP Hotel Booking version, then uses the publicly available WPScan proof-of-concept to directly invoke unprotected AJAX endpoints, iterating over booking records to harvest guest personal data and extract active coupon codes. The attacker can then apply stolen coupon codes to their own bookings for unauthorized discounts or sell the extracted guest PII and coupon data externally.
Remediation Upgrade WP Hotel Booking to version 2.3.1 or later, which is the vendor-released patch resolving the missing capability checks across affected AJAX handlers; apply the update via the WordPress admin dashboard under Plugins > Installed Plugins. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-3605 CRITICAL POC
10.0 Jun 20

The WP Hotel Booking plugin for WordPress is vulnerable to SQL Injection via the 'room_type' parameter of the /wphb/v1/r

CVE-2023-5652 CRITICAL POC
9.8 Nov 20

The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not esca

CVE-2023-5799 MEDIUM POC
5.4 Nov 20

The WP Hotel Booking WordPress plugin before 2.0.8 does not have proper authorisation when deleting a package, allowing

CVE-2023-5651 MEDIUM POC
5.4 Nov 20

The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not ensu

CVE-2024-7855 HIGH
8.8 Oct 02

The WP Hotel Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in

CVE-2024-30508 MEDIUM
6.5 Mar 29

Missing Authorization vulnerability in ThimPress WP Hotel Booking.0.9.2. Rated medium severity (CVSS 6.5), this vulnerab

CVE-2026-11392 MEDIUM
6.1 Jul 10

Reflected cross-site scripting in the WP Hotel Booking WordPress plugin (all versions up to and including 2.3.1) permits

CVE-2026-11901 MEDIUM
5.3 Jul 11

Payment bypass in WP Hotel Booking (WordPress plugin, all versions ≤2.3.1) allows unauthenticated attackers to mark arbi

CVE-2020-36757 MEDIUM
4.3 Jul 12

The WP Hotel Booking plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,

CVE-2024-13447 MEDIUM
4.3 Jan 22

The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check

CVE-2024-12370 MEDIUM
5.3 Jan 17

The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability

Share

CVE-2026-9822 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy