cleantalk
Vulnerabilities and Security Researches

WP Hotel Booking, CVE-2026-9822

CVE, Research URL

CVE-2026-9822

Home page URL

Security reports for WP Hotel Booking

Application

WP Hotel Booking

Published on
Jun 19, 2026
Research Description
The WP Hotel Booking WordPress plugin before 2.3.1 does not enforce capability checks in several of its AJAX handlers, allowing authenticated users with Subscriber-level access to read other users' booking line items, enumerate active coupons, and read pricing data.
Affected versions
max 2.3.1.
Status
vulnerable
Previous vulnerability researches
WpZon – Amazon Affiliate Plugin (CVE-2025-46506) , Apr 26, 2025
New vulnerability
Simple File List (CVE-2026-11911) , Jun 21, 2026
Simple File List (CVE-2026-12119) , Jun 21, 2026
Simple File List (CVE-2026-11912) , Jun 21, 2026
WP Hotel Booking (CVE-2026-9822) , Jun 21, 2026
Branda – White Label WordPress, Custom Login Page Customizer (CVE-2026-11551) , Jun 21, 2026