Thimpress Wp Hotel Booking
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Thimpress Wp Hotel Booking.
By the Year
In 2026 there have been 1 vulnerability in Thimpress Wp Hotel Booking with an average score of 5.3 out of ten. Last year, in 2025 Wp Hotel Booking had 6 security vulnerabilities published. Right now, Wp Hotel Booking is on track to have less security vulnerabilities in 2026 than it did last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.48.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1 | 5.30 |
| 2025 | 6 | 4.82 |
| 2024 | 4 | 9.53 |
| 2023 | 5 | 6.23 |
| 2022 | 1 | 8.00 |
It may take a day or so for new Wp Hotel Booking vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Thimpress Wp Hotel Booking Security Vulnerabilities
WP Hotel Booking 2.2.7: AJAX Sensitive Data Exposure
CVE-2025-14075
5.3 - Medium
- January 17, 2026
The WP Hotel Booking plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.7. This is due to the plugin exposing the 'hotel_booking_fetch_customer_info' AJAX action to unauthenticated users without proper capability checks, relying only on a nonce for protection. This makes it possible for unauthenticated attackers to retrieve sensitive customer information including full names, addresses, phone numbers, and email addresses by providing a valid email address and a publicly accessible nonce.
Information Disclosure
WP Hotel Booking <=2.2.7 Sensitive Info Exposure via Unauthorized Control Sphere
CVE-2025-63013
4.3 - Medium
- December 09, 2025
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows Retrieve Embedded Sensitive Data.This issue affects WP Hotel Booking: from n/a through <= 2.2.7.
Exposure of Sensitive System Information to an Unauthorized Control Sphere
WP Hotel Booking CSRF via wp-hotel-booking (<=2.2.7)
CVE-2025-63012
4.3 - Medium
- December 09, 2025
Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows Cross Site Request Forgery.This issue affects WP Hotel Booking: from n/a through <= 2.2.8.
Session Riding
WP Hotel Booking <=2.2.7 DOM-Based XSS (improper neutralization of input)
CVE-2025-63011
5.9 - Medium
- December 09, 2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows DOM-Based XSS.This issue affects WP Hotel Booking: from n/a through <= 2.2.8.
XSS
CSRF in ThimPress WP Hotel Booking <=2.1.9
CVE-2025-47448
- May 07, 2025
Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Hotel Booking allows Cross Site Request Forgery. This issue affects WP Hotel Booking: from n/a through 2.1.9.
Session Riding
WP Hotel Booking 2.1.6 Unauthorized Access via AJAX Subscriber
CVE-2024-13447
4.3 - Medium
- January 22, 2025
The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the hotel_booking_load_order_user AJAX action in all versions up to, and including, 2.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve a list of registered user emails.
AuthZ
WP Hotel Booking <=2.1.5: Cap check missing in addroom
CVE-2024-12370
5.3 - Medium
- January 17, 2025
The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check when adding rooms in all versions up to, and including, 2.1.5. This makes it possible for unauthenticated attackers to add rooms with custom prices.
Authorization
ThimPress WP Hotel Booking 2.1.4 LFI via Path Traversal
CVE-2024-51582
- November 04, 2024
Path Traversal: '.../...//' vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows PHP Local File Inclusion.This issue affects WP Hotel Booking: from n/a through <= 2.2.9.
Path Traversal: '.../...//'
WP Hotel Booking <=2.1.2 Arbitrary File Upload via update_review()
CVE-2024-7855
8.8 - High
- October 02, 2024
The WP Hotel Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_review() function in all versions up to, and including, 2.1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Unrestricted File Upload
WP Hotel Booking <=2.1.0 REST API SQLi via room_type (unauth)
CVE-2024-3605
10 - Critical
- June 20, 2024
The WP Hotel Booking plugin for WordPress is vulnerable to SQL Injection via the 'room_type' parameter of the /wphb/v1/rooms/search-rooms REST API endpoint in all versions up to, and including, 2.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
SQL Injection
Missing Auth in ThimPress WP Hotel Booking v1.x-2.0.9.2
CVE-2024-30508
9.8 - Critical
- March 29, 2024
Missing Authorization vulnerability in ThimPress WP Hotel Booking.This issue affects WP Hotel Booking: from n/a through 2.0.9.2.
AuthZ
WP Hotel Booking CSRF/Unauth Post Deletion (v<2.0.8)
CVE-2023-5651
5.4 - Medium
- November 20, 2023
The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not ensure that the package to be deleted is a package, allowing any authenticated users, such as subscriber to delete arbitrary posts
Incorrect Permission Assignment for Critical Resource
Unauthenticated SQLi in WP Hotel Booking (<2.0.8) missing auth/CSRF
CVE-2023-5652
9.8 - Critical
- November 20, 2023
The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not escape user input before using it in a SQL statement of a function hooked to admin_init, allowing unauthenticated users to perform SQL injections
SQL Injection
WP Hotel Booking Plugin <2.0.8: Improper Auth on Package Delete by Contributors
CVE-2023-5799
5.4 - Medium
- November 20, 2023
The WP Hotel Booking WordPress plugin before 2.0.8 does not have proper authorisation when deleting a package, allowing Contributor and above roles to delete posts that do no belong to them
AuthZ
Unauthed CSRF in WP Hotel Booking 1.10.1 via admin_add_order_item
CVE-2020-36757
4.3 - Medium
- July 12, 2023
The WP Hotel Booking plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.10.1. This is due to missing or incorrect nonce validation on the admin_add_order_item() function. This makes it possible for unauthenticated attackers to add an order item via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Session Riding
Common Vulnerability in unspecified software (CVE-2021-4342)
CVE-2021-4342
- June 07, 2023
** REJECT ** CVE split into individual CVE IDs for each software record.
ThimPress WP Hotel Booking <=1.10.5: CrossSite Request Forgery (CSRF)
CVE-2021-36852
8 - High
- August 22, 2022
Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Hotel Booking plugin <= 1.10.5 at WordPress.
Session Riding
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Thimpress Wp Hotel Booking or by Thimpress? Click the Watch button to subscribe.
