WordPress Plugin Vulnerabilities

WP Hotel Booking < 2.2.0 - Cross-Site Request Forgery

Description

The WP Hotel Booking plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1.9. This is due to missing or incorrect nonce validation on the save() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
wp-hotel-booking
Fixed in 2.2.0

References

CVE
CVE-2025-47448
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/2675fa78-4236-4574-8c81-ff3bce11ff9d

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
lucky_buddy
Verified
No
WPVDB ID
c92b979d-f13d-47b4-9e89-59976db11958

Timeline

Publicly Published
2025-05-07 (about 1 year ago)
Added
2025-05-13 (about 1 year ago)
Last Updated
2025-05-13 (about 1 year ago)

Other

Published
Title
Published
2025-06-12
Title
WP2HTML < 1.0.3 - Cross-Site Request Forgery to Settings Update
Published
2025-04-01
Title
DN Footer Contacts <= 1.8 - Cross-Site Request Forgery
Published
2025-06-05
Title
FastBook <= 1.1 - Cross-Site Request Forgery
Published
2025-09-22
Title
Current Age Plugin < 1.7 - Cross-Site Request Forgery
Published
2023-09-18
Title
Website Builder by SeedProd < 6.15.15.3 - Arbitrary Settings Update via CSRF