CVE-2025-68005

Analysis

The Easy Hotel Booking WordPress plugin (versions up to and including 1.9.2) suffers from a missing authorization vulnerability [1]. The flaw lies in incorrectly configured access control security levels, meaning that certain functions or endpoints do not properly verify whether the user has the required permissions or a valid nonce token [1]. This is a classic 'Broken Access Control' issue in the WordPress ecosystem.

Exploitation

An attacker does not need any special privileges to exploit this vulnerability; it can be triggered by any unauthenticated or low-privileged user [1]. Since the plugin fails to enforce authorization checks, an attacker can directly call sensitive functions that should be restricted to higher-privileged roles such as administrators [1]. The attack vector is over the network and requires no user interaction.

Impact

Successful exploitation allows an attacker to perform unauthorized actions within the plugin's scope, such as modifying hotel booking settings, accessing or altering reservations, or escalating privileges [1]. This could lead to data integrity compromises and disruption of the booking system. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns against thousands of websites [1].

Mitigation

Users are advised to immediately update the Easy Hotel Booking plugin to a patched version beyond 1.9.2 [1]. If an update is not yet available, site owners should contact the plugin vendor or a web developer to implement a workaround, such as disabling the plugin until a fix is released [1]. No EOL or KEV listing is mentioned in the reference, but the vendor Patchstack has published detailed advisory information.