Description
Missing Authorization vulnerability in nicdark Hotel Booking nd-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hotel Booking: from n/a through <= 3.8.
Published: 2025-12-31
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Missing authorization in the nicdark Hotel Booking WordPress plugin allows an attacker to access booking data and potentially modify or delete reservations. The vulnerability stems from incorrectly configured access control security levels and is classified as CWE-862, which targets improper enforcement of operational policies.

Affected Systems

The plugin hostname nicdark Hotel Booking, version 3.8 and all earlier releases are affected. The issue is present in the WordPress plugin distribution and is not limited to any specific host or server configuration beyond the WordPress site that hosts the plugin.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity flaw; the EPSS score of less than 1% suggests that exploitation is unlikely but still possible. Because the flaw requires the ability to send web requests to a WordPress site that hosts the plugin and is not listed in the CISA KEV catalog, the attack vector is inferred to be via the web interface, potentially by authenticated users with low privileges or by unauthenticated users if the plugin endpoints do not enforce proper checks. Consequently, the risk is moderate, but the impact of unauthorized data disclosure or modification remains significant to affected administrators.

Generated by OpenCVE AI on April 29, 2026 at 21:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WordPress Hotel Booking plugin to a version newer than 3.8 to eliminate the broken access control.
  • If an upgrade is not immediately possible, restrict access to the plugin’s administrative routes by applying HTTP authentication or firewall rules so that only trusted administrators can reach them.
  • Review and enforce proper role‑based access controls within the plugin, ensuring that only users with the correct capability can view or edit booking information, mitigating the CWE‑862 weakness.

Generated by OpenCVE AI on April 29, 2026 at 21:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in nicdark Hotel Booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hotel Booking: from n/a through 3.8. Missing Authorization vulnerability in nicdark Hotel Booking nd-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hotel Booking: from n/a through <= 3.8.
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Nicdark
Nicdark hotel Booking
Wordpress
Wordpress wordpress
Vendors & Products Nicdark
Nicdark hotel Booking
Wordpress
Wordpress wordpress

Wed, 31 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in nicdark Hotel Booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hotel Booking: from n/a through 3.8.
Title WordPress Hotel Booking plugin <= 3.8 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Nicdark Hotel Booking
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:08.226Z

Reserved: 2025-10-24T14:25:26.406Z

Link: CVE-2025-63001

cve-icon Vulnrichment

Updated: 2026-01-05T15:25:24.462Z

cve-icon NVD

Status : Deferred

Published: 2025-12-31T15:15:53.867

Modified: 2026-04-23T15:34:56.190

Link: CVE-2025-63001

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T22:00:07Z

Weaknesses