Hotel Booking Lite
Monthly
Sensitive subscriber data exposure in the Hotel Booking Lite WordPress plugin (versions 6.0.3 and earlier) allows authenticated low-privileged users to access confidential booking or guest information they should not be authorized to view. The vulnerability, classified under CWE-201, involves the plugin including sensitive data in API responses or rendered output accessible to subscriber-level WordPress accounts. No public exploit code or active exploitation has been identified at time of analysis, but the high confidentiality impact and low barrier to exploitation (only a subscriber account required) make patching a priority for any hospitality operator running this plugin.
The Hotel Booking Lite WordPress plugin before 4.8.5 does not validate file paths provided via user input, as well as does not have proper CSRF and authorisation checks, allowing unauthenticated. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Cross-Site Request Forgery (CSRF) vulnerability in MotoPress Hotel Booking Lite plugin <= 4.6.0 versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Sensitive subscriber data exposure in the Hotel Booking Lite WordPress plugin (versions 6.0.3 and earlier) allows authenticated low-privileged users to access confidential booking or guest information they should not be authorized to view. The vulnerability, classified under CWE-201, involves the plugin including sensitive data in API responses or rendered output accessible to subscriber-level WordPress accounts. No public exploit code or active exploitation has been identified at time of analysis, but the high confidentiality impact and low barrier to exploitation (only a subscriber account required) make patching a priority for any hospitality operator running this plugin.
The Hotel Booking Lite WordPress plugin before 4.8.5 does not validate file paths provided via user input, as well as does not have proper CSRF and authorisation checks, allowing unauthenticated. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Cross-Site Request Forgery (CSRF) vulnerability in MotoPress Hotel Booking Lite plugin <= 4.6.0 versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.