CVE-2026-9822 - Vulnerability Details - OpenCVE

ReportizFlow

The WP Hotel Booking WordPress plugin before 2.3.1 does not enforce capability checks in several of its AJAX handlers, allowing authenticated users with Subscriber-level access to read other users' booking line items, enumerate active coupons, and read pricing data.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Wordpress	Wordpress
Wp Hotel Booking	Wp Hotel Booking

No data.

No data.

References

Link	Providers
https://wpscan.com/vulnerability/107fe41a-c5d9-4547-b413-bbd77cbab986/

History

Wed, 24 Jun 2026 21:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress Wp Hotel Booking Wp Hotel Booking wp Hotel Booking
Vendors & Products		Wordpress Wordpress wordpress Wp Hotel Booking Wp Hotel Booking wp Hotel Booking

Mon, 22 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-284

Mon, 22 Jun 2026 17:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 19 Jun 2026 08:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284

Fri, 19 Jun 2026 06:15:00 +0000

Type	Values Removed	Values Added
Description		The WP Hotel Booking WordPress plugin before 2.3.1 does not enforce capability checks in several of its AJAX handlers, allowing authenticated users with Subscriber-level access to read other users' booking line items, enumerate active coupons, and read pricing data.
Title		WP Hotel Booking < 2.3.1 - Subscriber+ Missing Authorization in Multiple AJAX Handlers
References		https://wpscan.com/vulnerability/107fe41a-c5d9-4547-b413-bbd77cbab986/

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2026-06-19T06:00:01.847Z

Updated: 2026-06-22T16:15:45.924Z

Reserved: 2026-05-28T11:27:47.482Z

Link: CVE-2026-9822

Vulnrichment

Updated: 2026-06-22T16:15:41.050Z

NVD

No data.

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-9822", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2026-05-28T11:27:47.482Z", "datePublished": "2026-06-19T06:00:01.847Z", "dateUpdated": "2026-06-22T16:15:45.924Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-06-19T06:00:01.847Z"}, "title": "WP Hotel Booking < 2.3.1 - Subscriber+ Missing Authorization in Multiple AJAX Handlers", "problemTypes": [{"descriptions": [{"description": "CWE-284 Improper Access Control", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "WP Hotel Booking", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThan": "2.3.1"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Hotel Booking WordPress plugin before 2.3.1 does not enforce capability checks in several of its AJAX handlers, allowing authenticated users with Subscriber-level access to read other users' booking line items, enumerate active coupons, and read pricing data."}], "references": [{"url": "https://wpscan.com/vulnerability/107fe41a-c5d9-4547-b413-bbd77cbab986/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Sanjorn Keeratirungsan", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-06-22T16:15:27.197348Z", "id": "CVE-2026-9822", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-22T16:15:45.924Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "WP Hotel Booking < 2.3.1 - Subscriber+ Missing Authorization in Multiple AJAX Handlers", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Sanjorn Keeratirungsan"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "WP Hotel Booking", "versions": [{"status": "affected", "version": "0", "lessThan": "2.3.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://wpscan.com/vulnerability/107fe41a-c5d9-4547-b413-bbd77cbab986/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The WP Hotel Booking WordPress plugin before 2.3.1 does not enforce capability checks in several of its AJAX handlers, allowing authenticated users with Subscriber-level access to read other users' booking line items, enumerate active coupons, and read pricing data."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-06-19T06:00:01.847Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-9822", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-22T16:15:27.197348Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-06-22T16:15:41.050Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-9822", "state": "PUBLISHED", "dateUpdated": "2026-06-19T06:00:01.847Z", "dateReserved": "2026-05-28T11:27:47.482Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2026-06-19T06:00:01.847Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}