VYPR
← All advisories
Medium severity5.3NVD Advisory· Published May 22, 2026

CVE-2026-8684

CVE-2026-8684

Description

The MotoPress Hotel Booking plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite or delete the internal notes (_mphb_booking_internal_notes) of any booking by supplying an arbitrary booking ID. The nonce for this action is output in the HTML source of every public page through wp_localize_script (MPHB._data.nonces), so any unauthenticated visitor can obtain a valid nonce and perform the action without any account or prior interaction.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The MotoPress Hotel Booking plugin for WordPress up to 6.0.1 allows unauthenticated attackers to overwrite or delete internal booking notes due to missing authorization checks and exposed nonces.

Vulnerability

The MotoPress Hotel Booking plugin for WordPress versions up to and including 6.0.1 contains an authorization bypass vulnerability in the update-booking-notes AJAX action. The plugin fails to verify that the requesting user has permission to modify the internal notes (_mphb_booking_internal_notes) of a specific booking. The action only checks that the booking ID exists, not that the user is authorized to access it. Additionally, the nonce used for CSRF protection is output on every public page via wp_localize_script, making it accessible to any unauthenticated visitor [1].

Exploitation

An unauthenticated attacker can obtain the nonce from the HTML source of any public page by inspecting the MPHB._data.nonces JavaScript object. The attacker then sends a POST request to the WordPress AJAX endpoint with the action mphb_update_booking_notes, the nonce, and an arbitrary booking ID along with new note data. The plugin's getValidatedRequestData method in update-booking-notes.php only validates that the booking exists, not that the attacker has any relationship to it [2][3][4]. The attacker can supply an empty notes array to delete all notes or provide new note content to overwrite them.

Impact

Successful exploitation allows an unauthenticated attacker to overwrite or delete the internal notes of any booking in the system. This leads to data integrity loss, as internal notes may contain sensitive information or operational instructions. The attacker does not gain any other privileges or access to the booking's other data.

Mitigation

The vendor has released a fix in version 6.0.2 (or later) that adds proper authorization checks. Users should update to the latest version immediately. No workaround is available for versions prior to 6.0.2. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.

References
  1. https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/6.0.1/includes/ajax-api/ajax-actions/abstract-ajax-api-action.php#L34
  2. https://plugins.trac.wordpress.org/changeset/3537354/motopress-hotel-booking-lite/trunk/includes/ajax-api/ajax-actions/update-booking-notes.php
  3. https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/5.4.1/includes/ajax-api/ajax-actions/update-booking-notes.php#L83
  4. https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/6.0.1/includes/ajax-api/ajax-actions/update-booking-notes.php#L83

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

1
r3537354
https://plugins.svn.wordpress.org/motopress-hotel-booking-litevia nvd-ref
commit

Vulnerability mechanics

Root cause

"Missing authorization check allows unauthenticated attackers to overwrite or delete internal notes of any booking by supplying an arbitrary booking ID."

Attack vector

An unauthenticated attacker can overwrite or delete the internal notes (_mphb_booking_internal_notes) of any booking by sending a crafted request with an arbitrary booking ID. The nonce required for the action is exposed in the HTML source of every public page via wp_localize_script (MPHB._data.nonces), making it trivially obtainable by any visitor. No authentication or prior user interaction is needed. The only precondition is knowledge of a valid booking ID, which can be enumerated or guessed. [patch_id=1605916]

Affected code

The vulnerability exists in the MotoPress Hotel Booking plugin for WordPress versions up to and including 6.0.1. The affected code handles the saving and deletion of the _mphb_booking_internal_notes post meta field for bookings. The patch modifies the action callbacks that process these requests to add authorization checks. [patch_id=1605916]

What the fix does

The patch adds a proper capability check (current_user_can) before allowing the update or deletion of booking internal notes. Previously the action only verified a nonce, which was publicly exposed, but did not verify that the requesting user had any authorization to manage bookings. By requiring the appropriate WordPress capability, the fix ensures that only authenticated users with the correct role (e.g., administrators or hotel managers) can modify booking notes. [patch_id=1605916]

Preconditions

  • inputKnowledge of a valid booking ID (can be enumerated or guessed).
  • networkNetwork access to the WordPress site.

Generated on May 22, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.