The plugin unserialised the value in the thimpress_hotel_booking_1 cookie without sanitisation, which could lead to an unauthenticated PHP Object Injection. If the plugin is installed on WP < 5.5.2, then there is a suitable gadget chain to obtain RCE, otherwise, another gadget chain will have to be used (ie from another installed plugin for instance). The fix attempted in 1.10.3 (ie sanitising the cookie value through sanitize_text_field() does nothing against PHP Object Injection and the plugin is still vulnerable, despite the original advisory stating that the issue has been fixed. This has been escalated to the WordPress plugin team on March 4th, 2021.
WordPress Hotel Booking Plugin Remote Code Execution (CVE-2020-29047)
WP Hotel Booking <= 1.10.3 - Unauthenticated PHP Object Injection