CVE-2025-68005
Missing Authorization in Easy Hotel Booking Plugin Allows Unauthorized Access
Publication date: 2026-02-20
Last updated on: 2026-04-28
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| themewant | easy_hotel_booking | to 1.8.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68005 is a Broken Access Control vulnerability in the WordPress Easy Hotel Booking Plugin versions up to and including 1.8.7. It occurs due to missing authorization, authentication, or nonce token checks in certain plugin functions.
This flaw allows unprivileged users, such as subscribers, to perform actions that should be restricted to higher privileged roles, leading to unauthorized access or modifications.
The vulnerability is considered medium severity with a CVSS score of 6.5 and is part of the OWASP Top 10 A1 category.
How can this vulnerability impact me? :
This vulnerability can allow users with low-level privileges (such as subscribers) to escalate their privileges and perform unauthorized actions within the Easy Hotel Booking plugin.
Such unauthorized access or modifications could compromise the integrity and security of your website, potentially leading to data manipulation or exposure.
Since no official patch is available yet, failure to apply mitigations could leave your site vulnerable to exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'This vulnerability affects WordPress Easy Hotel Booking Plugin versions up to and including 1.8.7 and arises from missing authorization checks allowing unprivileged users to perform privileged actions.'}, {'type': 'paragraph', 'content': 'No official patch has been released yet for this issue.'}, {'type': 'paragraph', 'content': "As an immediate mitigation, users are advised to apply Patchstack's mitigation rule which can block attacks exploiting this vulnerability until an official fix becomes available."}, {'type': 'paragraph', 'content': 'It is important to implement this mitigation promptly to protect your website and monitor for any official patches.'}] [1]