Skip to main content

Hotel Booking Lite EUVDEUVD-2026-41346

| CVE-2026-57347 MEDIUM
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-07-02 Patchstack GHSA-c6qc-3v35-vw8p
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

PR:L reflects mandatory subscriber authentication; C:H for sensitive guest/booking data exposure; no integrity or availability impact applies.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:36 vuln.today

DescriptionCVE.org

Subscriber Sensitive Data Exposure in Hotel Booking Lite <= 6.0.3 versions.

AnalysisAI

Sensitive subscriber data exposure in the Hotel Booking Lite WordPress plugin (versions 6.0.3 and earlier) allows authenticated low-privileged users to access confidential booking or guest information they should not be authorized to view. The vulnerability, classified under CWE-201, involves the plugin including sensitive data in API responses or rendered output accessible to subscriber-level WordPress accounts. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or register subscriber account on target WordPress site
Exploit
Send authenticated crafted request to Hotel Booking Lite endpoint
Execution
Receive response containing sensitive guest or booking data
Impact
Exfiltrate PII or reservation details

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress subscriber-level (or higher) account on the target site running Hotel Booking Lite 6.0.3 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS score of 6.5 (Medium) is consistent with the risk profile: the attack is network-accessible with low complexity and requires only a subscriber-level WordPress account, but does not allow data modification or service disruption. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or already holds a subscriber-level account on a target hotel's WordPress site running Hotel Booking Lite 6.0.3 or earlier. The attacker sends a crafted authenticated HTTP request - likely to a REST API endpoint or AJAX handler - and receives a response containing sensitive booking records, guest personal data, or reservation details belonging to other users. …
Remediation The primary remediation is to update the Hotel Booking Lite plugin to a version beyond 6.0.3, as reported by Patchstack; however, an exact patched version number is not independently confirmed from the provided data - consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/motopress-hotel-booking-lite/vulnerability/wordpress-hotel-booking-lite-plugin-6-0-3-sensitive-data-exposure-vulnerability?_s_id=cve and the WordPress plugin repository for the latest release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41346 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy