VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 20 known issues Latest disclosed Jan 16, 2026

WP Hotel Booking Vulnerabilities

Review known vulnerability records for the WordPress plugin WP Hotel Booking (`wp-hotel-booking`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2025-14075, CVE-2025-63011 and CVE-2025-63012, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
20
High or Critical
7
Patch Coverage
100%
Last Updated
Apr 14, 2026
Priority CVE Quick Links

Fast paths into WP Hotel Booking CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
18
CVE-2024-3605 Critical 2.1.1
CVE-2024-3605 WP Hotel Booking SQL Injection

WP Hotel Booking <= 2.1.0 - Unauthenticated SQL Injection

CVE-2023-5652 Critical 2.0.8
CVE-2023-5652 WP Hotel Booking SQL Injection

WP Hotel Booking <= 2.0.7 - Unauthenticated SQL Injection

CVE-2020-29047 Critical 1.10.4
CVE-2020-29047 WP Hotel Booking Remote Code Execution

WP Hotel Booking <= 1.10.3 - Remote Code Execution

CVE-2024-51582 High 2.3.0
CVE-2024-51582 WP Hotel Booking Local File Inclusion

WP Hotel Booking <= 2.2.9 - Authenticated (Contributor+) Local File Inclusion

CVE-2024-7855 High 2.1.3
CVE-2024-7855 WP Hotel Booking Remote Code Execution

WP Hotel Booking <= 2.1.2 - Authenticated (Subscriber+) Arbitrary File Upload

CVE-2021-36852 High 1.10.6
CVE-2021-36852 WP Hotel Booking Cross-Site Request Forgery

WP Hotel Booking <= 1.10.5 - Cross-Site Request Forgery

CVE-2023-5651 Medium 2.0.8
CVE-2023-5651 WP Hotel Booking Vulnerability

WP Hotel Booking <= 2.0.7 - Missing Authorization to (Subscriber+) Arbitrary Post Deletion

CVE-2025-14075 Medium 2.2.8
CVE-2025-14075 WP Hotel Booking Sensitive Information Exposure

WP Hotel Booking <= 2.2.7 - Unauthenticated Sensitive Information Exposure via 'email' Parameter

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for WP Hotel Booking so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
20 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
3 critical and 4 high severity findings.
Recent CVEs
CVE-2025-14075, CVE-2025-63011 and CVE-2025-63012
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for WP Hotel Booking

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2025-14075
CVE-2025-14075: WP Hotel Booking <= 2.2.7 - Unauthenticated Sensitive Information Exposure via 'email' Parameter

The WP Hotel Booking plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.7. This is due to the plugin exposing the 'hotel_booking_fetch_customer_info' AJAX action to unauthenticated users without proper capability checks,...

Published
Jan 16, 2026
Patched Release
2.2.8
Affected Versions
Versions up to 2.2.7
Next Step
Update to 2.2.8 or newer if supported.
Open CVE-2025-14075 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-63011
CVE-2025-63011: Hotel Booking <= 2.2.8 - Authenticated (Editor+) Stored Cross-Site Scripting

The Hotel Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access and above, to injec...

Published
Nov 05, 2025
Patched Release
2.2.9
Affected Versions
Versions up to 2.2.8
Next Step
Update to 2.2.9 or newer if supported.
Open CVE-2025-63011 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-63012
CVE-2025-63012: Hotel Booking <= 2.2.8 - Cross-Site Request Forgery

The Hotel Booking plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.2.8. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action v...

Published
Nov 05, 2025
Patched Release
2.2.9
Affected Versions
Versions up to 2.2.8
Next Step
Update to 2.2.9 or newer if supported.
Open CVE-2025-63012 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-63013
CVE-2025-63013: Hotel Booking <= 2.2.7 - Unauthenticated Information Exposure

The WP Hotel Booking plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.7. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

Published
Nov 05, 2025
Patched Release
2.2.8
Affected Versions
Versions up to 2.2.7
Next Step
Update to 2.2.8 or newer if supported.
Open CVE-2025-63013 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-8942
CVE-2025-8942: WP Hotel Booking <= 2.2.1 - Improper Input Validation to Authenticated (Subscriber+) Rating Manipulation

The WP Hotel Booking plugin for WordPress is vulnerable to rating manipulation in all versions up to, and including, 2.2.2. This is due to insufficient input validation. This makes it possible for authenticated attackers, with Subscriber-level access and above, to leave negative...

Published
Aug 28, 2025
Patched Release
2.2.3
Affected Versions
Versions up to 2.2.2
Next Step
Update to 2.2.3 or newer if supported.
Open CVE-2025-8942 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-47448
CVE-2025-47448: WP Hotel Booking <= 2.1.9 - Cross-Site Request Forgery

The WP Hotel Booking plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1.9. This is due to missing or incorrect nonce validation on the save() function. This makes it possible for unauthenticated attackers to update plugin settin...

Published
May 07, 2025
Patched Release
2.2.0
Affected Versions
Versions up to 2.1.9
Next Step
Update to 2.2.0 or newer if supported.
Open CVE-2025-47448 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-13447
CVE-2024-13447: WP Hotel Booking <= 2.1.6 - Missing Authorization to Authenticated (Subscriber+) User Email Retrieval

The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the hotel_booking_load_order_user AJAX action in all versions up to, and including, 2.1.6. This makes it possible for authenticated attackers, with Subscrib...

Published
Jan 21, 2025
Patched Release
2.1.7
Affected Versions
Versions up to 2.1.6
Next Step
Update to 2.1.7 or newer if supported.
Open CVE-2024-13447 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-12370
CVE-2024-12370: WP Hotel Booking <= 2.1.5 - Missing Authorization

The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check when adding rooms in all versions up to, and including, 2.1.5. This makes it possible for unauthenticated attackers to add rooms with custom prices.

Published
Jan 16, 2025
Patched Release
2.1.6
Affected Versions
Versions up to 2.1.5
Next Step
Update to 2.1.6 or newer if supported.
Open CVE-2024-12370 Report Open CVE Reference
Plugin High Patched: Yes CVE-2024-51582
CVE-2024-51582: WP Hotel Booking <= 2.2.9 - Authenticated (Contributor+) Local File Inclusion

The WP Hotel Booking plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.2.9. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the...

Published
Oct 31, 2024
Patched Release
2.3.0
Affected Versions
Versions up to 2.2.9
Next Step
Update to 2.3.0 or newer if supported.
Open CVE-2024-51582 Report Open CVE Reference
Plugin High Patched: Yes CVE-2024-7855
CVE-2024-7855: WP Hotel Booking <= 2.1.2 - Authenticated (Subscriber+) Arbitrary File Upload

The WP Hotel Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_review() function in all versions up to, and including, 2.1.2. This makes it possible for authenticated attackers, with subscriber-level access and...

Published
Oct 01, 2024
Patched Release
2.1.3
Affected Versions
Versions up to 2.1.2
Next Step
Update to 2.1.3 or newer if supported.
Open CVE-2024-7855 Report Open CVE Reference
Plugin Critical Patched: Yes CVE-2024-3605
CVE-2024-3605: WP Hotel Booking <= 2.1.0 - Unauthenticated SQL Injection

The WP Hotel Booking plugin for WordPress is vulnerable to SQL Injection via the 'room_type' parameter of the /wphb/v1/rooms/search-rooms REST API endpoint in all versions up to, and including, 2.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficie...

Published
Jun 19, 2024
Patched Release
2.1.1
Affected Versions
Versions up to 2.1.0
Next Step
Update to 2.1.1 or newer if supported.
Open CVE-2024-3605 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-30508
CVE-2024-30508: WP Hotel Booking <= 2.0.9.2 - Missing Authorization

The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in versions up to, and including, 2.0.9.2. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Published
Mar 28, 2024
Patched Release
2.0.9.3
Affected Versions
Versions up to 2.0.9.2
Next Step
Update to 2.0.9.3 or newer if supported.
Open CVE-2024-30508 Report Open CVE Reference