CVE-2026-9822

MEDIUM

WP Hotel Booking < 2.3.1 - Subscriber+ Missing Authorization in Multiple AJAX Handlers

Title source: cna
STIX 2.1

Description

The WP Hotel Booking WordPress plugin before 2.3.1 does not enforce capability checks in several of its AJAX handlers, allowing authenticated users with Subscriber-level access to read other users' booking line items, enumerate active coupons, and read pricing data.

References (1)

Core 1
Core References
Exploit exploit vdb-entry technical-description
https://wpscan.com/vulnerability/107fe41a-c5d9-4547-b413-bbd77cbab986/

Scores

CVSS v3 6.5
EPSS 0.0020
EPSS Percentile 10.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

Status published
Products (1)
None/WP Hotel Booking < 2.3.1
Published Jun 19, 2026
Tracked Since Jun 19, 2026