Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
PR:L required since a Subscriber-level account is mandatory; C:H reflects cross-user booking PII and coupon enumeration; no integrity or availability impact applies.
Primary rating from Vendor (WPScan).
CVSS VectorVendor: WPScan
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
The WP Hotel Booking WordPress plugin before 2.3.1 does not enforce capability checks in several of its AJAX handlers, allowing authenticated users with Subscriber-level access to read other users' booking line items, enumerate active coupons, and read pricing data.
AnalysisAI
Missing authorization controls in the WP Hotel Booking WordPress plugin (all versions before 2.3.1) expose sensitive hospitality business data to any authenticated Subscriber-level user. Affected AJAX handlers lack WordPress capability checks, enabling low-privilege users to read other guests' booking line items, enumerate active coupon codes, and access internal pricing data across the entire site. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated WordPress session at Subscriber privilege level or higher on the specific target site - the lowest default role assigned to any registered user. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, score 6.5) is internally consistent with the vulnerability description: network-reachable, low complexity, requires only a low-privilege account, no user interaction, and yields high confidentiality impact with no integrity or availability dimension. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free Subscriber account on a hotel's WordPress site running an unpatched WP Hotel Booking version, then uses the publicly available WPScan proof-of-concept to directly invoke unprotected AJAX endpoints, iterating over booking records to harvest guest personal data and extract active coupon codes. The attacker can then apply stolen coupon codes to their own bookings for unauthorized discounts or sell the extracted guest PII and coupon data externally. |
| Remediation | Upgrade WP Hotel Booking to version 2.3.1 or later, which is the vendor-released patch resolving the missing capability checks across affected AJAX handlers; apply the update via the WordPress admin dashboard under Plugins > Installed Plugins. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Wp Hotel Booking
View allThe WP Hotel Booking plugin for WordPress is vulnerable to SQL Injection via the 'room_type' parameter of the /wphb/v1/r
The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not esca
The WP Hotel Booking WordPress plugin before 2.0.8 does not have proper authorisation when deleting a package, allowing
The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not ensu
The WP Hotel Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in
Missing Authorization vulnerability in ThimPress WP Hotel Booking.0.9.2. Rated medium severity (CVSS 6.5), this vulnerab
Reflected cross-site scripting in the WP Hotel Booking WordPress plugin (all versions up to and including 2.3.1) permits
Payment bypass in WP Hotel Booking (WordPress plugin, all versions ≤2.3.1) allows unauthenticated attackers to mark arbi
The WP Hotel Booking plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,
The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check
The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37994
GHSA-mcv8-q72x-f535