The Hotel Booking plugin for WordPress contains a flaw where an attacker can supply an arbitrary filename to PHP include or require calls. This improper control of the include path allows reading of any file that the web server process can access, potentially exposing configuration files, credentials, or other sensitive data. The weakness is classified as CWE‑98. It is inferred that if an attacker can force inclusion of a PHP file under their control, remote code execution could be achieved, in addition to confidentiality loss.

All installations of the nicdark Hotel Booking plugin up through and including version 3.7 are affected. The vulnerability exists in every release of the plugin that has not been updated beyond 3.7.

With a CVSS score of 7.5 the vulnerability is considered high severity. The EPSS score is below 1 %, indicating a low current exploitation frequency, and the issue is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is remote via the web interface, as the vulnerable code is reachable through the plugin’s URLs. An attacker must construct a request that injects a malicious filename into the plugin’s include logic. Once triggered, the attacker can read arbitrary local files, and if the plugin permits inclusion of attacker‑controlled PHP files, remote code execution may result.