WP Hotel Booking < 2.0.9.3 – Improper Authorization on Multiple REST API Routes | Plugin Vulnerabilities

Description

The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to an improper capability check on the 'pricing_plans', 'block_date', 'manager_bookings', and 'update_field_room' functions for the 'pricing-plans', 'block-date', 'manager-bookings', and 'update-field' REST routes, respectively, in versions up to, and including, 2.0.9.2. This makes it possible for unauthenticated attackers to expose sensitive information about bookings or modify them.

Affects Plugins

wp-hotel-booking

Fixed in 2.0.9.3

References

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/86f15e94-6ca7-4eb2-8a38-b4add9251dab

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Verified

No

WPVDB ID

6a028b01-38e4-4c12-aa19-9a83cf6c1b41

Timeline

Publicly Published

2024-02-03 (about 2 years ago)

Added

2024-04-03 (about 2 years ago)

Last Updated

2024-04-03 (about 2 years ago)

Other

Published

Title

Published

2026-04-20

Title

Responsive Blocks < 2.2.1 - Unauthenticated Open Email Relay via REST API 'email_to' Parameter

Published

2026-03-05

Title

Responsive Plus < 3.4.3 - Unauthenticated Arbitrary Shortcode Execution

Published

2024-02-05

Title

Prime Slider – Addons For Elementor < 3.11.11 - Incorrect Authorization via bdt_duplicate_as_draft

Published

2021-09-29

Title

Stylish Price List < 6.9.1 - Subscriber+ Arbitrary Image Upload

Published

2022-10-17

Title

WP < 6.0.3 - Data Exposure via REST Terms/Tags Endpoint