CVE-2026-9822
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk10th percentile — higher than 10% of all known CVEs
Summary
The WP Hotel Booking WordPress plugin before 2.3.1 does not enforce capability checks in several of its AJAX handlers, allowing authenticated users with Subscriber-level access to read other users' booking line items, enumerate active coupons, and read pricing data.
Risk Assessment
The organization may be exposed to data leaks regarding bookings and coupon information, potentially leading to unauthorized access to sensitive information.
Recommendation
It is recommended to update the WP Hotel Booking plugin to version 2.3.1 or later to mitigate the security vulnerability.
Original NVD description (English source)
The WP Hotel Booking WordPress plugin before 2.3.1 does not enforce capability checks in several of its AJAX handlers, allowing authenticated users with Subscriber-level access to read other users' booking line items, enumerate active coupons, and read pricing data.

