GHSA-mcv8-q72x-f535MediumCVSS 6.5

The WP Hotel Booking WordPress plugin before 2.3.1 does not enforce capability checks in several...

Published
June 19, 2026
Last Modified
June 22, 2026

🔗 CVE IDs covered (1)

📋 Description

The WP Hotel Booking WordPress plugin before 2.3.1 does not enforce capability checks in several of its AJAX handlers, allowing authenticated users with Subscriber-level access to read other users' booking line items, enumerate active coupons, and read pricing data.

🔗 References (3)