← back
CVE-2026-9822

WP Hotel Booking < 2.3.1 - Subscriber+ Missing Authorization in Multiple AJAX Handlers

CVSS 6.5 MEDIUMEPSS 0.2%
The WP Hotel Booking WordPress plugin before 2.3.1 does not enforce capability checks in several of its AJAX handlers, allowing authenticated users with Subscriber-level access to read other users' booking line items, enumerate active coupons, and read pricing data.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected products
Unknown · WP Hotel Booking
public PoCs found1
cve_referencewpscan.com/vulnerability/107fe41a-c5d9-4547-b413-bbd77cbab986/unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://wpscan.com/vulnerability/107fe41a-c5d9-4547-b413-bbd77cbab986/