The vulnerability allows an attacker to retrieve embedded sensitive system information from the WordPress WP Hotel Booking plugin. This results in the exposure of data that should be protected, potentially compromising the confidentiality of the affected site. The flaw is classified as CWE-497, indicating an improper restriction of system information. No evidence suggests that confidentiality or integrity of other components is directly affected, but the availability of sensitive data can aid further attacks.

Any WordPress installation using the WP Hotel Booking plugin by ThimPress with a version of 2.2.7 or earlier is vulnerable. The issue exists from the earliest available release up through 2.2.7, so sites running any of those versions should be considered affected.

The CVSS score of 4.3 reflects a moderate impact, while the EPSS score of less than 1% indicates a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, and there are no publicly known exploits at this time. The attack vector is not explicitly documented, but the flaw likely can be triggered through web access to the plugin’s functionality or administrative interfaces, requiring the attacker to have some level of interaction with the WordPress site. No specific authentication prerequisites are stated, so it is inferred that the vulnerability could be exploited by users with privileged access, or potentially remotely via exposed endpoints.