Description
The WP Hotel Booking WordPress plugin before 2.3.1 does not enforce capability checks in several of its AJAX handlers, allowing authenticated users with Subscriber-level access to read other users' booking line items, enumerate active coupons, and read pricing data.
Published: 2026-06-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Hotel Booking WordPress plugin, when run at a version earlier than 2.3.1, contains several AJAX handlers that lack proper capability checks. An authenticated user with a Subscriber role can trigger these handlers to read the booking line items of other users, enumerate active coupons, and retrieve pricing data. This flaw does not allow code execution or modification of data, but it exposes private booking information and other sensitive data to users who should not have access.

Affected Systems

The vulnerability affects installations of the WP Hotel Booking plugin with any version below 2.3.1. Users running this software on any WordPress site are impacted if they rely on the default Subscriber role.

Risk and Exploitability

The exploit requires the attacker to be logged in as a Subscriber; no additional privileges are needed. Because the issue is confined to read‑only data, the risk level is moderate, though it can undermine customer privacy. With a CVSS score of 6.5, the vulnerability is rated moderate severity. EPSS data are not available, and the vulnerability is not listed in the CISA KEV catalog. The vulnerability is likely exploitable through simple AJAX requests after authentication, making it comparatively easy to leverage within an authenticated environment.

Generated by OpenCVE AI on June 22, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Hotel Booking plugin to version 2.3.1 or later, which implements proper capability checks for the affected AJAX handlers.
  • If an upgrade is not immediately possible, review the plugin’s settings or custom code to restrict AJAX access for Subscriber roles, ensuring these handlers are disabled or limited.
  • Consider temporarily disabling booking or coupon features for Subscriber users until a patch is applied to prevent unauthorized data retrieval.
  • Monitor site logs for unusual AJAX calls from Subscriber accounts and apply host‑based or network‑based filtering as a last‑resort containment measure.

Generated by OpenCVE AI on June 22, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wp Hotel Booking
Wp Hotel Booking wp Hotel Booking
Vendors & Products Wordpress
Wordpress wordpress
Wp Hotel Booking
Wp Hotel Booking wp Hotel Booking

Mon, 22 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 19 Jun 2026 08:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Fri, 19 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Description The WP Hotel Booking WordPress plugin before 2.3.1 does not enforce capability checks in several of its AJAX handlers, allowing authenticated users with Subscriber-level access to read other users' booking line items, enumerate active coupons, and read pricing data.
Title WP Hotel Booking < 2.3.1 - Subscriber+ Missing Authorization in Multiple AJAX Handlers
References

Subscriptions

Wordpress Wordpress
Wp Hotel Booking Wp Hotel Booking
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-22T16:15:45.924Z

Reserved: 2026-05-28T11:27:47.482Z

Link: CVE-2026-9822

cve-icon Vulnrichment

Updated: 2026-06-22T16:15:41.050Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:41:53Z

Weaknesses

No weakness.