WP Hotel Booking < 2.2.8 – Unauthenticated Sensitive Information Exposure via 'email' Parameter | CVE 2025-14075 | Plugin Vulnerabilities

Description

The WP Hotel Booking plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.7. This is due to the plugin exposing the 'hotel_booking_fetch_customer_info' AJAX action to unauthenticated users without proper capability checks, relying only on a nonce for protection. This makes it possible for unauthenticated attackers to retrieve sensitive customer information including full names, addresses, phone numbers, and email addresses by providing a valid email address and a publicly accessible nonce.

Affects Plugins

wp-hotel-booking

Fixed in 2.2.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/1fc4eaec-b5d8-4707-9260-bac02a4b1866

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Itthidej Aramsri (Boeing777)

Verified

No

WPVDB ID

5660194e-a98a-4e0b-be53-c4c953253b16

Timeline

Publicly Published

2026-01-16 (about 3 months ago)

Added

2026-01-16 (about 3 months ago)

Last Updated

2026-01-17 (about 3 months ago)

Other

Published

Title

Published

2024-12-18

Title

Button Block – Get fully customizable & multi-functional buttons < 1.1.6 - Authenticated (Contributor+) Post Disclosure via Post Duplication

Published

2021-09-09

Title

WordPress 5.4 to 5.8 - Data Exposure via REST API

Published

2021-03-26

Title

AccessAlly < 3.5.7 - $_SERVER Superglobal Leakage

Published

2023-12-05

Title

Ultimate Dashboard < 3.7.11 - Login Page Disclosure on Multi-site

Published

2025-10-31

Title

List category posts < 0.93.0 - Authenticated (Contributor+) Information Exposure