WordPress Plugin Vulnerabilities

WP Hotel Booking < 2.3.1 - Subscriber+ Missing Authorization in Multiple AJAX Handlers

Description

The plugin does not enforce capability checks in several of its AJAX handlers, allowing authenticated users with Subscriber-level access to read other users' booking line items, enumerate active coupons, and read pricing data.

Proof of Concept

Affects Plugins

Fixed in 2.3.1

References

Classification

Type
ACCESS CONTROLS
CWE

Miscellaneous

Original Researcher
Sanjorn Keeratirungsan
Submitter
Sanjorn Keeratirungsan
Verified
Yes

Timeline

Publicly Published
2026-05-29 (about 1 month ago)
Added
2026-05-29 (about 1 month ago)
Last Updated
2026-05-29 (about 1 month ago)

Other