Unrated severityNVD Advisory· Published Jun 19, 2026

WP Hotel Booking < 2.3.1 - Subscriber+ Missing Authorization in Multiple AJAX Handlers

CVE-2026-9822

Description

The WP Hotel Booking WordPress plugin before 2.3.1 does not enforce capability checks in several of its AJAX handlers, allowing authenticated users with Subscriber-level access to read other users' booking line items, enumerate active coupons, and read pricing data.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

WordPress/Wp Hotel Bookinginferred2 versions
<2.3.1+ 1 more
- (no CPE)range: <2.3.1
- (no CPE)range: <2.3.1
Package: https://wordpress.org/plugins/wp-hotel-booking

Patches

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

wpscan.com/vulnerability/107fe41a-c5d9-4547-b413-bbd77cbab986/mitreexploitvdb-entrytechnical-description

News mentions

25 WordPress Plugin CVEs Drop in Two Days: Critical File Deletion, SSRF, and XSS Lead the Batch
Vypr Intelligence · Jun 19, 2026

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000