Vulnerabilities and security researches forwp-hotel-booking wp-hotel-booking

Direction: descending

Jan 28, 2026

WP Hotel Booking # CVE-2025-14075

CVE, Research URL: CVE-2025-14075
Home page URL: Security reports for WP Hotel Booking
Application: WP Hotel Booking
Date: Jan 17, 2026
Research Description: The WP Hotel Booking plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.7. This is due to the plugin exposing the 'hotel_booking_fetch_customer_info' AJAX action to unauthenticated users without proper capability checks, relying only on a nonce for protection. This makes it possible for unauthenticated attackers to retrieve sensitive customer information including full names, addresses, phone numbers, and email addresses by providing a valid email address and a publicly accessible nonce.
Affected versions: max 2.2.8.
Status: vulnerable

Jan 10, 2026

WP Hotel Booking # CVE-2025-63011

CVE, Research URL: CVE-2025-63011
Home page URL: Security reports for WP Hotel Booking
Application: WP Hotel Booking
Date: Dec 09, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows DOM-Based XSS.This issue affects WP Hotel Booking: from n/a through <= 2.2.7.
Affected versions: max 2.2.7.
Status: vulnerable

WP Hotel Booking # CVE-2025-63012

CVE, Research URL: CVE-2025-63012
Home page URL: Security reports for WP Hotel Booking
Application: WP Hotel Booking
Date: Dec 09, 2025
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows Cross Site Request Forgery.This issue affects WP Hotel Booking: from n/a through <= 2.2.7.
Affected versions: max 2.2.7.
Status: vulnerable

WP Hotel Booking # CVE-2025-63013

CVE, Research URL: CVE-2025-63013
Home page URL: Security reports for WP Hotel Booking
Application: WP Hotel Booking
Date: Dec 09, 2025
Research Description: Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows Retrieve Embedded Sensitive Data.This issue affects WP Hotel Booking: from n/a through <= 2.2.7.
Affected versions: max 2.2.7.
Status: vulnerable

May 09, 2025

WP Hotel Booking # CVE-2025-47448

CVE, Research URL: CVE-2025-47448
Home page URL: Security reports for WP Hotel Booking
Application: WP Hotel Booking
Date: May 07, 2025
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Hotel Booking allows Cross Site Request Forgery. This issue affects WP Hotel Booking: from n/a through 2.1.9.
Affected versions: max 2.2.0.
Status: vulnerable

Jan 22, 2025

WP Hotel Booking # CVE-2024-13447

CVE, Research URL: CVE-2024-13447
Home page URL: Security reports for WP Hotel Booking
Application: WP Hotel Booking
Date: Jan 22, 2025
Research Description: The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the hotel_booking_load_order_user AJAX action in all versions up to, and including, 2.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve a list of registered user emails.
Affected versions: max 2.1.7.
Status: vulnerable

Jan 18, 2025

WP Hotel Booking # CVE-2024-12370

CVE, Research URL: CVE-2024-12370
Home page URL: Security reports for WP Hotel Booking
Application: WP Hotel Booking
Date: Jan 17, 2025
Research Description: The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check when adding rooms in all versions up to, and including, 2.1.5. This makes it possible for unauthenticated attackers to add rooms with custom prices.
Affected versions: max 2.1.6.
Status: vulnerable

Nov 03, 2024

WP Hotel Booking # CVE-2024-51582

CVE, Research URL: CVE-2024-51582
Home page URL: Security reports for WP Hotel Booking
Application: WP Hotel Booking
Date: Nov 04, 2024
Research Description: Path Traversal: '.../...//' vulnerability in ThimPress WP Hotel Booking allows PHP Local File Inclusion.This issue affects WP Hotel Booking: from n/a through 2.1.4.
Affected versions: max 2.2.0.
Status: vulnerable

Oct 03, 2024

WP Hotel Booking # CVE-2024-7855

CVE, Research URL: CVE-2024-7855
Home page URL: Security reports for WP Hotel Booking
Application: WP Hotel Booking
Date: Oct 02, 2024
Research Description: The WP Hotel Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_review() function in all versions up to, and including, 2.1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Affected versions: max 2.1.3.
Status: vulnerable

Jun 20, 2024

WP Hotel Booking # CVE-2024-3605

CVE, Research URL: CVE-2024-3605
Home page URL: Security reports for WP Hotel Booking
Application: WP Hotel Booking
Date: Jun 20, 2024
Research Description: The WP Hotel Booking plugin for WordPress is vulnerable to SQL Injection via the 'room_type' parameter of the /wphb/v1/rooms/search-rooms REST API endpoint in all versions up to, and including, 2.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions: max 2.0.9.3.
Status: vulnerable

Jun 06, 2024

WP Hotel Booking # CVE-2020-36757

CVE, Research URL: CVE-2020-36757
Home page URL: Security reports for WP Hotel Booking
Application: WP Hotel Booking
Date: Jul 12, 2023
Research Description: The WP Hotel Booking plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.10.1. This is due to missing or incorrect nonce validation on the admin_add_order_item() function. This makes it possible for unauthenticated attackers to add an order item via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 2.0.8.
Status: vulnerable

WP Hotel Booking # CVE-2020-29047

CVE, Research URL: CVE-2020-29047
Home page URL: Security reports for WP Hotel Booking
Application: WP Hotel Booking
Date: Mar 03, 2021
Research Description: The wp-hotel-booking plugin through 1.10.2 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the thimpress_hotel_booking_1 cookie in load in includes/class-wphb-sessions.php.
Affected versions: max 1.10.2.
Status: vulnerable

WP Hotel Booking # CVE-2023-5651

CVE, Research URL: CVE-2023-5651
Home page URL: Security reports for WP Hotel Booking
Application: WP Hotel Booking
Date: Nov 21, 2023
Research Description: The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not ensure that the package to be deleted is a package, allowing any authenticated users, such as subscriber to delete arbitrary posts
Affected versions: max 2.0.8.
Status: vulnerable

WP Hotel Booking # CVE-2023-5652

CVE, Research URL: CVE-2023-5652
Home page URL: Security reports for WP Hotel Booking
Application: WP Hotel Booking
Date: Nov 21, 2023
Research Description: The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not escape user input before using it in a SQL statement of a function hooked to admin_init, allowing unauthenticated users to perform SQL injections
Affected versions: max 2.0.8.
Status: vulnerable

WP Hotel Booking # CVE-2023-5799

CVE, Research URL: CVE-2023-5799
Home page URL: Security reports for WP Hotel Booking
Application: WP Hotel Booking
Date: Nov 21, 2023
Research Description: The WP Hotel Booking WordPress plugin before 2.0.8 does not have proper authorisation when deleting a package, allowing Contributor and above roles to delete posts that do no belong to them
Affected versions: max 2.0.9.3.
Status: vulnerable

WP Hotel Booking # CVE-2024-30508

CVE, Research URL: CVE-2024-30508
Home page URL: Security reports for WP Hotel Booking
Application: WP Hotel Booking
Date: Mar 29, 2024
Research Description: Missing Authorization vulnerability in ThimPress WP Hotel Booking.This issue affects WP Hotel Booking: from n/a through 2.0.9.2.
Affected versions: max 2.0.9.3.
Status: vulnerable

WP Hotel Booking # CVE-2021-36852

CVE, Research URL: CVE-2021-36852
Home page URL: Security reports for WP Hotel Booking
Application: WP Hotel Booking
Date: Aug 22, 2022
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Hotel Booking plugin <= 1.10.5 at WordPress.
Affected versions: max 1.10.2.
Status: vulnerable

WP Hotel Booking # CVE-2021-4342

CVE, Research URL: -
Home page URL: Security reports for WP Hotel Booking
Application: WP Hotel Booking
Date: Jun 07, 2023
Research Description: Rejected reason: CVE split into individual CVE IDs for each software record.
Affected versions: max 1.10.2.
Status: vulnerable