Skip to main content

Hotel Booking Lite

3 CVEs product

Monthly

CVE-2026-57347 MEDIUM This Month

Sensitive subscriber data exposure in the Hotel Booking Lite WordPress plugin (versions 6.0.3 and earlier) allows authenticated low-privileged users to access confidential booking or guest information they should not be authorized to view. The vulnerability, classified under CWE-201, involves the plugin including sensitive data in API responses or rendered output accessible to subscriber-level WordPress accounts. No public exploit code or active exploitation has been identified at time of analysis, but the high confidentiality impact and low barrier to exploitation (only a subscriber account required) make patching a priority for any hospitality operator running this plugin.

Information Disclosure Hotel Booking Lite
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2023-5991 CRITICAL POC Act Now

The Hotel Booking Lite WordPress plugin before 4.8.5 does not validate file paths provided via user input, as well as does not have proper CSRF and authorisation checks, allowing unauthenticated. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal WordPress CSRF Hotel Booking Lite
NVD WPScan
CVSS 3.1
9.8
EPSS
3.3%
CVE-2023-28498 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in MotoPress Hotel Booking Lite plugin <= 4.6.0 versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Hotel Booking Lite
NVD
CVSS 3.1
8.8
EPSS
0.3%
EPSS 0% CVSS 6.5
MEDIUM This Month

Sensitive subscriber data exposure in the Hotel Booking Lite WordPress plugin (versions 6.0.3 and earlier) allows authenticated low-privileged users to access confidential booking or guest information they should not be authorized to view. The vulnerability, classified under CWE-201, involves the plugin including sensitive data in API responses or rendered output accessible to subscriber-level WordPress accounts. No public exploit code or active exploitation has been identified at time of analysis, but the high confidentiality impact and low barrier to exploitation (only a subscriber account required) make patching a priority for any hospitality operator running this plugin.

Information Disclosure Hotel Booking Lite
NVD
EPSS 3% CVSS 9.8
CRITICAL POC Act Now

The Hotel Booking Lite WordPress plugin before 4.8.5 does not validate file paths provided via user input, as well as does not have proper CSRF and authorisation checks, allowing unauthenticated. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal WordPress CSRF +1
NVD WPScan
EPSS 0% CVSS 8.8
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in MotoPress Hotel Booking Lite plugin <= 4.6.0 versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Hotel Booking Lite
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy