CVE-2025-62916

This vulnerability is a missing authorization issue in authorization (broken access control) within the Flights & Hotels Booking WP Plugin (adiaha-hotel) for WordPress, affecting versions from n/a through ≤ 3.1. The plugin fails to properly validate user permissions, allowing an attacker to exploit incorrectly configured access control security levels. References to such broken access control issues indicate they often involve missing nonce tokens or insufficient capability checks [1].

Attackers can exploit this issue remotely without needing prior authentication, as the vulnerability lies in an unprivileged function. The attack surface is broad, targeting WordPress sites running the plugin, and does not require high traffic or popularity; these flaws are often used in mass-exploit campaigns [1].

Successful exploitation enables an attacker to perform actions normally restricted to higher-privileged users, such a administrators, would normally restricted. The exact capabilities depend on the misconfigured function, but the impact can include unauthorized modifications to site settings, data or settings [1].

As of the publication date, the vendor has not released a patch for versions up to 3.1. The recommend immediate action update the plugin to a version where the vulnerability addressed. If updating is not possible, users should contact their hosting provider or web developer for remediation [1].