Description
The WP Hotel Booking WordPress plugin before 2.3.1 does not enforce capability checks in several of its AJAX handlers, allowing authenticated users with Subscriber-level access to read other users' booking line items, enumerate active coupons, and read pricing data.
Published: 2026-06-19
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Hotel Booking WordPress plugin, when run at a version earlier than 2.3.1, contains several AJAX handlers that lack proper capability checks. An authenticated user with a Subscriber role can trigger these handlers to read the booking line items of other users, enumerate active coupons, and retrieve pricing data. This flaw does not allow code execution or modification of data, but it exposes private booking information and other sensitive data to users who should not have access.

Affected Systems

The vulnerability affects installations of the WP Hotel Booking plugin with any version below 2.3.1. Users running this software on any WordPress site are impacted if they rely on the default Subscriber role.

Risk and Exploitability

The exploit requires the attacker to be logged in as a Subscriber; no additional privileges are needed. Because the issue is confined to read‑only data, the risk level is moderate, though it can undermine customer privacy. EPSS data are not available, and the vulnerability is not listed in the CISA KEV catalog. The vulnerability is likely exploitable through simple AJAX requests after authentication, making it comparatively easy to leverage within an authenticated environment.

Generated by OpenCVE AI on June 19, 2026 at 08:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Hotel Booking plugin to version 2.3.1 or later, which implements proper capability checks for the affected AJAX handlers.
  • If an upgrade is not immediately possible, review the plugin’s settings or custom code to restrict AJAX access for Subscriber roles, ensuring these handlers are disabled or limited.
  • Consider temporarily disabling booking or coupon features for Subscriber users until a patch is applied to prevent unauthorized data retrieval.
  • Monitor site logs for unusual AJAX calls from Subscriber accounts and apply host‑based or network‑based filtering as a last‑resort containment measure.

Generated by OpenCVE AI on June 19, 2026 at 08:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 08:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Fri, 19 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Description The WP Hotel Booking WordPress plugin before 2.3.1 does not enforce capability checks in several of its AJAX handlers, allowing authenticated users with Subscriber-level access to read other users' booking line items, enumerate active coupons, and read pricing data.
Title WP Hotel Booking < 2.3.1 - Subscriber+ Missing Authorization in Multiple AJAX Handlers
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-19T06:00:01.847Z

Reserved: 2026-05-28T11:27:47.482Z

Link: CVE-2026-9822

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T08:30:07Z

Weaknesses