CVE Catalog

CVE-2026-9822

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

10th percentile — higher than 10% of all known CVEs

Summary

The WP Hotel Booking WordPress plugin before 2.3.1 does not enforce capability checks in several of its AJAX handlers, allowing authenticated users with Subscriber-level access to read other users' booking line items, enumerate active coupons, and read pricing data.

Risk Assessment

The organization may be exposed to data leaks regarding bookings and coupon information, potentially leading to unauthorized access to sensitive information.

Recommendation

It is recommended to update the WP Hotel Booking plugin to version 2.3.1 or later to mitigate the security vulnerability.

Original NVD description (English source)

The WP Hotel Booking WordPress plugin before 2.3.1 does not enforce capability checks in several of its AJAX handlers, allowing authenticated users with Subscriber-level access to read other users' booking line items, enumerate active coupons, and read pricing data.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS