Description
The Awesome Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to incorrect authorization in the room-single.php shortcode handler in all versions up to, and including, 1.0.3. This is due to the plugin relying solely on nonce verification without capability checks. This makes it possible for unauthenticated attackers to modify arbitrary booking records by obtaining a nonce from the public booking form.
Published: 2026-01-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized booking modification
Action: Patch
AI Analysis

Impact

The Awesome Hotel Booking plugin for WordPress suffers from an incorrect authorization mechanism in the room-single.php shortcode handler. The plugin validates only a nonce, with no check for user capabilities, allowing an unauthenticated attacker to modify any booking record if the attacker can obtain a nonce from the public booking form. This flaw compromises the integrity of reservation data, potentially enabling fraudulent bookings or cancellations and creating financial or reputational damage for the business using the plugin.

Affected Systems

The vulnerability is present in all versions of the Awesome Hotel Booking plugin up to and including 1.0.3, developed by the vendor nahian91. The affected environment is a WordPress installation that hosts the plugin’s booking functionality.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability does not appear in the CISA KEV catalog. The likely attack vector is a remote web-based request; an attacker needs only to read the public booking form output to retrieve the nonce and then craft a request to alter payment and booking details without any authentication.

Generated by OpenCVE AI on April 22, 2026 at 00:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Awesome Hotel Booking to a version newer than 1.0.3 to include the capability check.
  • If an update is not yet released, reach out to the plugin author for a patch or temporarily disable the public booking form until a fix is available.
  • Audit all existing booking records and logs to identify unauthorized modifications, and restore any altered data from backups as needed.

Generated by OpenCVE AI on April 22, 2026 at 00:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The Awesome Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to incorrect authorization in the room-single.php shortcode handler in all versions up to, and including, 1.0. This is due to the plugin relying solely on nonce verification without capability checks. This makes it possible for unauthenticated attackers to modify arbitrary booking records by obtaining a nonce from the public booking form. The Awesome Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to incorrect authorization in the room-single.php shortcode handler in all versions up to, and including, 1.0.3. This is due to the plugin relying solely on nonce verification without capability checks. This makes it possible for unauthenticated attackers to modify arbitrary booking records by obtaining a nonce from the public booking form.
Title Awesome Hotel Booking <= 1.0 - Incorrect Authorization to Unauthenticated Arbitrary Booking Modification Awesome Hotel Booking <= 1.0.3 - Incorrect Authorization to Unauthenticated Arbitrary Booking Modification
References

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 07 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
Description The Awesome Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to incorrect authorization in the room-single.php shortcode handler in all versions up to, and including, 1.0. This is due to the plugin relying solely on nonce verification without capability checks. This makes it possible for unauthenticated attackers to modify arbitrary booking records by obtaining a nonce from the public booking form.
Title Awesome Hotel Booking <= 1.0 - Incorrect Authorization to Unauthenticated Arbitrary Booking Modification
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:52:09.783Z

Reserved: 2025-12-09T16:25:38.309Z

Link: CVE-2025-14352

cve-icon Vulnrichment

Updated: 2026-01-07T15:22:59.951Z

cve-icon NVD

Status : Deferred

Published: 2026-01-07T12:16:54.453

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14352

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:15:03Z

Weaknesses