CVE-2026-9822
Received Received - Intake
WP Hotel Booking Plugin Authenticated Data Exposure Vulnerability

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: WPScan

Description
The WP Hotel Booking WordPress plugin before 2.3.1 does not enforce capability checks in several of its AJAX handlers, allowing authenticated users with Subscriber-level access to read other users' booking line items, enumerate active coupons, and read pricing data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-9822
EUVD
EUVD-2026-37994
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_hotel_booking wp_hotel_booking to 2.3.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WP Hotel Booking WordPress plugin before version 2.3.1 contains a vulnerability due to missing authorization checks in several AJAX handlers.

This flaw allows authenticated users with only Subscriber-level access to perform unauthorized actions such as reading other users' booking line items, enumerating active coupons, and accessing pricing data.

The vulnerability exists because the plugin does not enforce proper capability checks on multiple AJAX endpoints.

Exploitation requires a Subscriber account and access to a leaked nonce value, which can be obtained from any page on the target site.

Impact Analysis

This vulnerability can impact you by allowing low-privileged authenticated users to access sensitive information they should not have access to.

  • Reading other users' booking line items, potentially exposing personal or reservation details.
  • Enumerating active coupons, which could lead to unauthorized use or abuse of discounts.
  • Accessing pricing data, which might reveal confidential business information.
Detection Guidance

This vulnerability can be detected by verifying if the WP Hotel Booking plugin version installed is 2.3.1 or below, as these versions contain the missing authorization checks in AJAX handlers.

To detect exploitation attempts, monitor AJAX requests to the plugin's endpoints that handle booking line items, coupons, and pricing data for unauthorized access patterns, especially from users with Subscriber-level access.

Since exploitation requires a Subscriber account and a leaked nonce, commands or scripts could be used to check for unusual AJAX calls or to enumerate bookings and coupons via authenticated Subscriber accounts.

Specific commands are not provided in the available resources.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the WP Hotel Booking plugin to version 2.3.1 or later, where the missing authorization checks have been fixed.

Additionally, restrict Subscriber-level user access where possible and monitor for suspicious AJAX activity related to booking and coupon data.

Compliance Impact

The vulnerability allows authenticated users with Subscriber-level access to read other users' booking line items, enumerate active coupons, and access pricing data due to missing authorization checks in the WP Hotel Booking plugin. This unauthorized access to personal and transactional data could potentially lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

Specifically, unauthorized disclosure of booking details and pricing information may violate principles of data confidentiality and user privacy mandated by these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9822. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart