cleantalk
Vulnerabilities and Security Researches

WP Hotel Booking, d2294ca814d99d510f98298381e62d5bbd8d39f8

CVE, Research URL

d2294ca814d99d510f98298381e62d5bbd8d39f8

Home page URL

Security reports for WP Hotel Booking

Application

WP Hotel Booking

Published on
Oct 20, 2023
Research Description
WP Hotel Booking [wp-hotel-booking] < 2.0.8 WP Hotel Booking <= 2.0.7 - Missing Authorization to (Subscriber+) Arbitrary Post Deletion The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tp_extra_package_remove() function hooked via AJAX in all versions up to, and including, 2.0.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary posts.
Affected versions
max 2.0.8.
Status
vulnerable
Previous vulnerability researches
WP Hotel Booking (CVE-2026-9822) , Jun 21, 2026
WP Hotel Booking (CVE-2025-14075) , Jan 28, 2026
WP Hotel Booking (CVE-2025-8942) , Apr 27, 2026
WP Hotel Booking (CVE-2024-12370) , Jan 18, 2025
WP Hotel Booking (CVE-2024-7855) , Oct 03, 2024
New vulnerability
Simple File List (CVE-2026-11911) , Jun 21, 2026
Simple File List (CVE-2026-12119) , Jun 21, 2026
Simple File List (CVE-2026-11912) , Jun 21, 2026
WP Hotel Booking (CVE-2026-9822) , Jun 21, 2026
Branda – White Label WordPress, Custom Login Page Customizer (CVE-2026-11551) , Jun 21, 2026