WordPress Plugin Vulnerabilities

WP Hotel Booking < 2.1.6 - Missing Authorization

Description

The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check when adding rooms in all versions up to, and including, 2.1.5. This makes it possible for unauthenticated attackers to add rooms with custom prices.

Affects Plugins

Plugin icon
wp-hotel-booking
Fixed in 2.1.6

References

CVE
CVE-2024-12370
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5df32365-5381-48e0-9313-7e83c4c6c440

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Thanh Nam Tran
Verified
No
WPVDB ID
d90c968f-2829-4bb7-accb-00d60026f872

Timeline

Publicly Published
2025-01-16 (about 1 year ago)
Added
2025-01-16 (about 1 year ago)
Last Updated
2025-01-17 (about 1 year ago)

Other

Published
Title
Published
2021-11-01
Title
Stylish Cost Calculator < 7.0.4 - Subscriber+ Unauthorised AJAX Calls to Stored XSS
Published
2024-06-27
Title
Elements kit Elementor addons < 3.2.0 - Missing Authorization
Published
2021-08-17
Title
PostX Gutenberg Blocks for Post Grid < 2.4.10 - Missing Access Controls
Published
2024-01-24
Title
Views for WPForms < 3.2.3 - Missing Authorization via save_view
Published
2024-03-25
Title
WooCommerce < 8.6 - Contributor+ Private/Draft Products Access