The Hotel Listing WordPress plugin suffers from an incorrect privilege assignment flaw that allows authenticated users to obtain higher privileges than intended. This vulnerability, classified as CWE-266, lets a user who can log into the site acquire additional capabilities, such as editing or deleting hotel listings or accessing administrative settings that should normally require higher levels of authorization. The flaw arises from the plugin’s failure to enforce proper capability checks, resulting in over‑privileged roles within the WordPress installation.

The flaw exists in all versions of the e-plugins Hotel Listing plugin up through version 1.4.0. The CVE description explicitly lists affected versions as “from n/a through <= 1.4.0”, indicating that any release prior to and including 1.4.0 contains the defect, while versions beyond 1.4.0 have not been identified as affected by the CVE. No fix version is stated in the advisory, so the current state remains vulnerable if the plugin is on any of those releases.

The CVSS score of 8.8 denotes a high‑severity risk, and the EPSS score of less than 1 % suggests exploitation attempts are not widespread yet. The vulnerability is not listed in CISA’s KEV catalog. An attacker who is able to authenticate to the site can leverage the flaw to assume roles with elevated permissions. The most likely attack vector is an authenticated local exploitation through the plugin’s administrative interface, where the privileged escalation is triggered by the plugin’s internal logic.