CVE-2026-9822

UNKNOWN 0.0

WP Hotel Booking < 2.3.1 - Subscriber+ Missing Authorization in Multiple AJAX Handlers

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

The WP Hotel Booking WordPress plugin before 2.3.1 does not enforce capability checks in several of its AJAX handlers, allowing authenticated users with Subscriber-level access to read other users' booking line items, enumerate active coupons, and read pricing data.

Vendor	unknown
Product	wp hotel booking
Published	Jun 19, 2026

Stay Ahead of the Next One

Get instant alerts for unknown wp hotel booking

Be the first to know when new unknown vulnerabilities affecting unknown wp hotel booking are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Unknown / WP Hotel Booking

0 < 2.3.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wpscan.com: https://wpscan.com/vulnerability/107fe41a-c5d9-4547-b413-bbd77cbab986/

Credits

Sanjorn Keeratirungsan WPScan