The vulnerability is a classic Cross‑Site Request Forgery that lets an attacker perform actions authenticated with a logged‑in WordPress user. The impact is limited to actions permitted by that user’s role, such as modifying or deleting bookings, but it does not grant code execution or access to server files. The CVE is assigned a CVSS of 4.3, indicating moderate severity.

The flaw exists in the ThimPress WordPress plugin WP Hotel Booking for all released versions up through 2.2.8. Any WordPress site that has the plugin installed in one of these affected versions is potentially vulnerable.

The EPSS score of less than 1% implies the risk of exploitation is very low, and the issue is not currently listed in the CISA KEV catalog. Attackers would need the victim to be logged in and to visit a crafted link or form that submits a state‑changing request to the vulnerable plugin, leveraging the missing CSRF token check. Because anonymous visitors cannot trigger the affected actions, this is a user‑agent‑dependent vector with medium likelihood of successful exploitation in a typical environment.