WP Hotel Booking WordPress Plugin Security Vulnerabilities | WPScan

20

March 11, 2026

8000

Published

2026-01-16

Title

WP Hotel Booking < 2.2.8 - Unauthenticated Sensitive Information Exposure via 'email' Parameter

Fixed in

Fixed in 2.2.8

CVSS

5.3 (medium)

Published

2025-11-05

Title

Hotel Booking < 2.2.9 - Authenticated (Editor+) Stored Cross-Site Scripting

Fixed in

Fixed in 2.2.9

CVSS

4.4 (medium)

Published

2025-11-05

Title

Hotel Booking < 2.2.9 - Cross-Site Request Forgery

Fixed in

Fixed in 2.2.9

CVSS

4.3 (medium)

Published

2025-11-05

Title

Hotel Booking < 2.2.8 - Unauthenticated Information Exposure

Fixed in

Fixed in 2.2.8

CVSS

5.3 (medium)

Published

2025-08-28

Title

WP Hotel Booking < 2.2.3 - Subscriber+ Rating Manipulation

Fixed in

Fixed in 2.2.3

CVSS

4.3 (medium)

Published

2025-05-07

Title

WP Hotel Booking < 2.2.0 - Cross-Site Request Forgery

Fixed in

Fixed in 2.2.0

CVSS

4.3 (medium)

Published

2025-01-21

Title

WP Hotel Booking < 2.1.7 - Missing Authorization to Authenticated (Subscriber+) User Email Retrieval

Fixed in

Fixed in 2.1.7

CVSS

4.3 (medium)

Published

2025-01-16

Title

WP Hotel Booking < 2.1.6 - Missing Authorization

Fixed in

Fixed in 2.1.6

CVSS

5.3 (medium)

Published

2024-10-31

Title

WP Hotel Booking <= 2.2.9 - Contributor+ Local File Inclusion

Fixed in

No known fix

CVSS

7.2 (high)

Published

2024-10-01

Title

WP Hotel Booking < 2.1.3 - Authenticated (Subscriber+) Arbitrary File Upload

Fixed in

Fixed in 2.1.3

CVSS

8.8 (high)

Published

2024-06-19

Title

WP Hotel Booking < 2.1.1 - Unauthenticated SQL Injection

Fixed in

Fixed in 2.1.1

CVSS

10 (critical)

Published

2024-03-28

Title

WP Hotel Booking < 2.0.9.3 - Missing Authorization

Fixed in

Fixed in 2.0.9.3

CVSS

5.3 (medium)

Published

2024-02-03

Title

WP Hotel Booking < 2.0.9.3 - Improper Authorization on Multiple REST API Routes

Fixed in

Fixed in 2.0.9.3

CVSS

6.5 (medium)

Published

2023-10-26

Title

WP Hotel Booking < 2.0.8 - Unauthenticated SQLi

Fixed in

Fixed in 2.0.8

CVSS

8.6 (high)

Published

2023-10-26

Title

WP Hotel Booking < 2.0.9 - Contributor+ Arbitrary Post Deletion

Fixed in

Fixed in 2.0.9

CVSS

4.9 (medium)

Published

2023-10-26

Title

WP Hotel Booking < 2.0.8 - Subscriber+ Arbitrary Post Deletion

Fixed in

Fixed in 2.0.8

CVSS

6.5 (medium)

Published

2022-08-22

Title

WP Hotel Booking < 2.0.1 - Unauthenticated Arbitrary Settings Update

Fixed in

Fixed in 2.0.1

CVSS

7.5 (high)

Published

2022-08-02

Title

WP Hotel Booking < 1.10.6 - CSRF

Fixed in

Fixed in 1.10.6

CVSS

4.3 (medium)

Published

2020-12-08

Title

WP Hotel Booking < 1.10.4 - Unauthenticated PHP Object Injection

Fixed in

Fixed in 1.10.4

CVSS

8.1 (high)

Published

2020-09-16

Title

Multiple Plugins/Themes - Cross-Site Request Forgery (CSRF)

Fixed in

Fixed in 1.10.2

CVSS

5.4 (medium)