CVE-2025-14352
Authorization Bypass in Awesome Hotel Booking Plugin Allows Data Modification
Publication date: 2026-01-07
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| awesome_hotel_booking | awesome_hotel_booking | to 1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Awesome Hotel Booking plugin for WordPress allows unauthorized modification of booking data. This happens because the plugin only uses nonce verification without checking user capabilities in the room-single.php shortcode handler. As a result, unauthenticated attackers can obtain a nonce from the public booking form and use it to modify arbitrary booking records.
How can this vulnerability impact me? :
This vulnerability can allow attackers who are not logged in to modify booking records arbitrarily. This could lead to data integrity issues, unauthorized changes to bookings, and potential disruption of hotel booking operations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized modification of booking data, which could lead to unauthorized access or alteration of personal customer information such as names, emails, phone numbers, addresses, and uploaded identification documents. This unauthorized data manipulation poses risks to data integrity and confidentiality, potentially violating data protection regulations like GDPR and HIPAA that require strict controls over personal data access and modification. Therefore, the vulnerability could negatively impact compliance with such standards by enabling unauthorized data changes without proper authorization or audit controls. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unauthorized POST requests to the booking form shortcode handler that include the parameter 'ahbn_save_booking' and a valid nonce '_wpnonce'. You can look for suspicious POST requests modifying booking records without proper authentication. For example, on a server with access logs, you can use commands like: 1) To search web server logs for POST requests to the booking form endpoint: `grep -i 'POST' /var/log/apache2/access.log | grep 'ahbn_save_booking'` 2) To detect nonce usage in requests: `grep '_wpnonce' /var/log/apache2/access.log` 3) Use WordPress debug logs or plugin-specific logs to monitor booking creation or modification events. Additionally, inspecting the database for unexpected changes in 'ahbn_booking' custom post types or metadata can help detect exploitation attempts. However, no specific detection commands are provided in the resources. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Update the Awesome Hotel Booking plugin to a version that fixes this vulnerability once available. 2) If an update is not yet available, restrict access to the booking form shortcode handler by implementing additional capability checks beyond nonce verification to ensure only authorized users can modify booking data. 3) Apply web application firewall (WAF) rules to block unauthorized POST requests to the booking form endpoint. 4) Monitor and audit booking records for unauthorized changes. 5) Consider temporarily disabling the booking form shortcode or plugin until a patch is applied. These steps address the core issue of insufficient authorization in the booking form processing. [2, 3]