12 matches found
CVE-2024-3605
The CVE-2024-3605 entry concerns the WordPress plugin WP Hotel Booking (versions up to and including 2.1.0) and describes an SQL Injection flaw in the /wphb/v1/rooms/search-rooms REST API endpoint, exploitable via the room_type parameter. The root cause is insufficient escaping of the user-suppli...
CVE-2020-29047
The CVE-2020-29047 entry concerns the WordPress plugin WP Hotel Booking (versions
CVE-2023-5652
CVE-2023-5652 affects the WordPress plugin WP Hotel Booking, prior to version 2.0.8. The vulnerability arises from missing authorization and CSRF checks and from insufficient escaping of user input in a SQL statement executed in an admin_init hook, enabling unauthenticated users to perform SQL in...
CVE-2021-36852
CVE-2021-36852 is a CSRF vulnerability in the WordPress ThimPress WP Hotel Booking plugin versions
CVE-2024-30508
CVE-2024-30508: Missing Authorization vulnerability in ThimPress WP Hotel Booking. Affects WP Hotel Booking
CVE-2023-5651
The CVE targets the WordPress plugin WP Hotel Booking prior to version 2.0.8. Root cause: lack of authorization checks and CSRF protection, and failure to verify that the item to be deleted is a package. Impact: allows any authenticated user (e.g., a subscriber) to delete arbitrary posts, enablin...
CVE-2024-13447
CVE-2024-13447 (WP Hotel Booking plugin for WordPress) suffers from a missing capability check on the hotel_booking_load_order_user AJAX action in all versions up to 2.1.6, enabling authenticated users with Subscriber-level access and above to retrieve a list of registered user emails. The vulner...
CVE-2024-7855
CVE-2024-7855 affects the WordPress plugin WP Hotel Booking (versions
CVE-2023-5799
WP Hotel Booking WordPress plugin prior to 2.0.8 is affected by an authorization flaw in package deletion, allowing Contributor and above roles to delete posts that do not belong to them. The issue originates from insufficient access checks on the deletion operation and is documented across multi...
CVE-2024-51582
CVE-2024-51582 is a Path Traversal leading to PHP Local File Inclusion in the WP Hotel Booking plugin (affected
CVE-2024-12370
CVE-2024-12370 affects the WordPress plugin WP Hotel Booking. The vulnerability is an unauthorized data modification flaw caused by a missing capability check when adding rooms, affecting all versions up to 2.1.5. This enables unauthenticated attackers to add rooms with custom prices. The issue i...
CVE-2020-36757
The WP Hotel Booking plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to 1.10.1 due to missing or incorrect nonce validation on the admin_add_order_item() function. This allows unauthenticated attackers to add an order item via a forged request by tricking a site ad...