Skip to main content

Wp Hotel Booking

12 CVEs product

Monthly

CVE-2026-11901 MEDIUM This Month

Payment bypass in WP Hotel Booking (WordPress plugin, all versions ≤2.3.1) allows unauthenticated attackers to mark arbitrary hotel reservations as fully paid without submitting genuine payment. The PayPal IPN handler `web_hook_process_paypal_standard()` accepts an attacker-controlled `test_ipn=1` parameter that silently reroutes IPN validation to PayPal's sandbox environment, where a free sandbox account returns a legitimate 'VERIFIED' response; the handler then promotes any pending booking to completed while skipping critical post-verification checks on `receiver_email`, `mc_currency`, and `txn_id` uniqueness. No public exploit is identified at time of analysis, but the attack requires only a free PayPal sandbox account, making it nearly zero-cost for any motivated attacker.

WordPress Information Disclosure Wp Hotel Booking
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-11392 MEDIUM This Month

Reflected cross-site scripting in the WP Hotel Booking WordPress plugin (all versions up to and including 2.3.1) permits unauthenticated remote attackers to inject arbitrary JavaScript via the check_in_date and check_out_date URL parameters across multiple search result and Elementor widget templates. Successful exploitation requires tricking a victim into clicking a crafted link, after which the injected script executes in the victim's browser context - making logged-in administrators particularly high-value targets. No public exploit has been identified at time of analysis, and this vulnerability does not appear in the CISA KEV catalog.

WordPress XSS Wp Hotel Booking
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-9822 MEDIUM POC PATCH This Month

Missing authorization controls in the WP Hotel Booking WordPress plugin (all versions before 2.3.1) expose sensitive hospitality business data to any authenticated Subscriber-level user. Affected AJAX handlers lack WordPress capability checks, enabling low-privilege users to read other guests' booking line items, enumerate active coupon codes, and access internal pricing data across the entire site. A public proof-of-concept exploit exists per WPScan; while not confirmed actively exploited in CISA KEV, the low authentication barrier and publicly available exploit represent meaningful real-world risk for any hotel or hospitality site with user registration enabled.

Information Disclosure WordPress Wp Hotel Booking
NVD WPScan VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2024-13447 MEDIUM PATCH Monitor

The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the hotel_booking_load_order_user AJAX action in all versions up to, and. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass WordPress Wp Hotel Booking
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2024-12370 MEDIUM PATCH This Month

The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check when adding rooms in all versions up to, and including, 2.1.5. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass WordPress Wp Hotel Booking
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2024-7855 HIGH PATCH This Week

The WP Hotel Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_review() function in all versions up to, and including, 2.1.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

RCE WordPress File Upload Wp Hotel Booking
NVD
CVSS 3.1
8.8
EPSS
17.1%
CVE-2024-3605 CRITICAL POC THREAT Emergency

The WP Hotel Booking plugin for WordPress is vulnerable to SQL Injection via the 'room_type' parameter of the /wphb/v1/rooms/search-rooms REST API endpoint in all versions up to, and including, 2.1.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 80.4%.

SQLi WordPress Wp Hotel Booking
NVD
CVSS 3.1
10.0
EPSS
80.4%
Threat
5.9
CVE-2024-30508 MEDIUM This Month

Missing Authorization vulnerability in ThimPress WP Hotel Booking.0.9.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Wp Hotel Booking
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2023-5799 MEDIUM POC This Month

The WP Hotel Booking WordPress plugin before 2.0.8 does not have proper authorisation when deleting a package, allowing Contributor and above roles to delete posts that do no belong to them. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Wp Hotel Booking
NVD WPScan
CVSS 3.1
5.4
EPSS
0.5%
CVE-2023-5652 CRITICAL POC THREAT Act Now

The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not escape user input before using it in a SQL statement of a function hooked to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress SQLi Wp Hotel Booking
NVD WPScan
CVSS 3.1
9.8
EPSS
63.7%
CVE-2023-5651 MEDIUM POC This Month

The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not ensure that the package to be deleted is a package, allowing any authenticated. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Wp Hotel Booking
NVD WPScan
CVSS 3.1
5.4
EPSS
0.3%
CVE-2020-36757 MEDIUM PATCH This Month

The WP Hotel Booking plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.10.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Wp Hotel Booking
NVD
CVSS 3.1
4.3
EPSS
0.1%
EPSS 0% CVSS 5.3
MEDIUM This Month

Payment bypass in WP Hotel Booking (WordPress plugin, all versions ≤2.3.1) allows unauthenticated attackers to mark arbitrary hotel reservations as fully paid without submitting genuine payment. The PayPal IPN handler `web_hook_process_paypal_standard()` accepts an attacker-controlled `test_ipn=1` parameter that silently reroutes IPN validation to PayPal's sandbox environment, where a free sandbox account returns a legitimate 'VERIFIED' response; the handler then promotes any pending booking to completed while skipping critical post-verification checks on `receiver_email`, `mc_currency`, and `txn_id` uniqueness. No public exploit is identified at time of analysis, but the attack requires only a free PayPal sandbox account, making it nearly zero-cost for any motivated attacker.

WordPress Information Disclosure Wp Hotel Booking
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected cross-site scripting in the WP Hotel Booking WordPress plugin (all versions up to and including 2.3.1) permits unauthenticated remote attackers to inject arbitrary JavaScript via the check_in_date and check_out_date URL parameters across multiple search result and Elementor widget templates. Successful exploitation requires tricking a victim into clicking a crafted link, after which the injected script executes in the victim's browser context - making logged-in administrators particularly high-value targets. No public exploit has been identified at time of analysis, and this vulnerability does not appear in the CISA KEV catalog.

WordPress XSS Wp Hotel Booking
NVD
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Missing authorization controls in the WP Hotel Booking WordPress plugin (all versions before 2.3.1) expose sensitive hospitality business data to any authenticated Subscriber-level user. Affected AJAX handlers lack WordPress capability checks, enabling low-privilege users to read other guests' booking line items, enumerate active coupon codes, and access internal pricing data across the entire site. A public proof-of-concept exploit exists per WPScan; while not confirmed actively exploited in CISA KEV, the low authentication barrier and publicly available exploit represent meaningful real-world risk for any hotel or hospitality site with user registration enabled.

Information Disclosure WordPress Wp Hotel Booking
NVD WPScan VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH Monitor

The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the hotel_booking_load_order_user AJAX action in all versions up to, and. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass WordPress Wp Hotel Booking
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check when adding rooms in all versions up to, and including, 2.1.5. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass WordPress Wp Hotel Booking
NVD
EPSS 17% CVSS 8.8
HIGH PATCH This Week

The WP Hotel Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_review() function in all versions up to, and including, 2.1.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

RCE WordPress File Upload +1
NVD
EPSS 80% 5.9 CVSS 10.0
CRITICAL POC THREAT Emergency

The WP Hotel Booking plugin for WordPress is vulnerable to SQL Injection via the 'room_type' parameter of the /wphb/v1/rooms/search-rooms REST API endpoint in all versions up to, and including, 2.1.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 80.4%.

SQLi WordPress Wp Hotel Booking
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing Authorization vulnerability in ThimPress WP Hotel Booking.0.9.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Wp Hotel Booking
NVD
EPSS 1% CVSS 5.4
MEDIUM POC This Month

The WP Hotel Booking WordPress plugin before 2.0.8 does not have proper authorisation when deleting a package, allowing Contributor and above roles to delete posts that do no belong to them. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Wp Hotel Booking
NVD WPScan
EPSS 64% CVSS 9.8
CRITICAL POC THREAT Act Now

The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not escape user input before using it in a SQL statement of a function hooked to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress SQLi +1
NVD WPScan
EPSS 0% CVSS 5.4
MEDIUM POC This Month

The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not ensure that the package to be deleted is a package, allowing any authenticated. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Wp Hotel Booking
NVD WPScan
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The WP Hotel Booking plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.10.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Wp Hotel Booking
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy