Can you explain this vulnerability to me?

The MotoPress Hotel Booking plugin for WordPress has an authorization bypass vulnerability in all versions up to and including 6.0.1. This means the plugin does not properly check if a user is allowed to perform certain actions.

Because of this flaw, unauthenticated attackers can overwrite or delete internal notes of any booking by providing an arbitrary booking ID.

The vulnerability is worsened by the fact that a valid nonce (a security token) needed to perform this action is exposed in the HTML source of every public page, allowing any visitor to obtain it without needing an account or prior interaction.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows unauthenticated attackers to modify or delete internal booking notes, which could lead to data integrity issues.

Although it does not allow disclosure of sensitive data or denial of service, the integrity of booking information can be compromised, potentially disrupting hotel booking operations.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows unauthenticated attackers to overwrite or delete internal notes of any booking in the MotoPress Hotel Booking plugin by exploiting an authorization bypass. This could lead to unauthorized modification of booking data.

While the CVE description does not explicitly mention compliance with standards like GDPR or HIPAA, unauthorized modification of booking information could potentially impact data integrity and confidentiality requirements under such regulations.

Specifically, GDPR requires protection of personal data against unauthorized alteration, and HIPAA mandates safeguarding patient information integrity. If booking notes contain personal or sensitive information, this vulnerability could pose compliance risks.

Useful 0 Not Useful 0