The vulnerability is a CSRF flaw in the ThimPress WP Hotel Booking plugin, allowing an attacker to craft a request that triggers privileged actions on a WordPress site without the user’s knowledge. The vulnerability can be used to create, modify, or delete bookings when another user visits a page that submits a malicious POST to the booking handler. It is identified as CWE‑352. The impact is that an authenticated user may perform unintended booking operations, potentially leading to data integrity and availability problems for the booking system.

The flaw affects all installations of WP Hotel Booking version 2.1.9 and older, which includes the 2.1.9 branch and any earlier releases. The vendor is ThimPress and the plugin is known as WP Hotel Booking. No further version granularity is listed, so any site running a vulnerable version is at risk.

Current CVSS score is 4.3, indicating moderate severity. EPSS score is below 1%, implying low likelihood of widespread exploitation today, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, an attacker could exploit the flaw by hosting a malicious page that forces a victim administrator to unknowingly submit a booking request. The attack vector is online and does not require a compromised authentication state; it relies on the victim’s authenticated session cookie. Because the flaw does not allow arbitrary code execution, it mainly presents a risk of unauthorized data modification rather than full system compromise.