Wp Hotel Booking
Approved changes feed: RSS · Atom
cpe:2.3:a:thimpress:wp_hotel_booking:*:*:*:*:*:wordpress:*:*
part: a version: * update: *
| Vendor | Thimpress (3359de0e-d602-5f4a-8b30-12c81ab7a63c) |
|---|---|
| Product | Wp Hotel Booking (1940e053-e70b-5f39-a312-43b87024f52f) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | wordpress |
| Target hardware | * |
| Other | * |
| Notes | Imported from purl2cpe mapping |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/thimpresswp/wp-hotel-booking |
purl2cpe | 2026-06-01 10:11:30.853894 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2024-7855 |
vulnerable | 2026-06-03 14:58:07.415210 |
WP Hotel Booking <= 2.1.2 - Authenticated (Subscriber+) Arbitrary File Upload
HIGH (8.8)
The WP Hotel Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_review() function in all versions up to, and including, 2.1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2024-10-02T04:31:17.744Z
Updated: 2026-04-08T17:01:51.434Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-51582 |
vulnerable | 2026-06-03 14:57:26.217247 |
WordPress WP Hotel Booking plugin <= 2.2.9 - Local File Inclusion vulnerability
HIGH (7.5)
Path Traversal: '.../...//' vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows PHP Local File Inclusion.This issue affects WP Hotel Booking: from n/a through <= 2.2.9.
Published: 2024-11-04T13:38:39.051Z
Updated: 2026-05-11T21:39:58.194Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-3605 |
vulnerable | 2026-06-03 14:56:25.086108 |
WP Hotel Booking <= 2.1.0 - Unauthenticated SQL Injection
CRITICAL (10)
The WP Hotel Booking plugin for WordPress is vulnerable to SQL Injection via the 'room_type' parameter of the /wphb/v1/rooms/search-rooms REST API endpoint in all versions up to, and including, 2.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2024-06-20T02:08:22.137Z
Updated: 2026-04-08T16:54:43.535Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-30508 |
vulnerable | 2026-06-03 14:55:38.491595 |
WordPress WP Hotel Booking plugin <= 2.0.9.2 - Broken Access Control vulnerability
MEDIUM (6.5)
Missing Authorization vulnerability in ThimPress WP Hotel Booking.This issue affects WP Hotel Booking: from n/a through 2.0.9.2.
Published: 2024-03-29T14:17:20.834Z
Updated: 2026-04-28T16:09:25.786Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-13447 |
vulnerable | 2026-06-03 14:54:24.664546 |
WP Hotel Booking <= 2.1.6 - Missing Authorization to Authenticated (Subscriber+) User Email Retrieval
MEDIUM (4.3)
The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the hotel_booking_load_order_user AJAX action in all versions up to, and including, 2.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve a list of registered user emails.
Published: 2025-01-22T11:07:58.320Z
Updated: 2026-04-08T17:18:45.734Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-12370 |
vulnerable | 2026-06-03 14:54:16.227076 |
WP Hotel Booking <= 2.1.5 - Missing Authorization
MEDIUM (5.3)
The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check when adding rooms in all versions up to, and including, 2.1.5. This makes it possible for unauthenticated attackers to add rooms with custom prices.
Published: 2025-01-17T08:25:38.307Z
Updated: 2026-04-08T16:56:04.938Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5799 |
vulnerable | 2026-06-03 14:53:49.671588 |
WP Hotel Booking < 2.0.9 - Contributor+ Arbitrary Post Deletion
The WP Hotel Booking WordPress plugin before 2.0.8 does not have proper authorisation when deleting a package, allowing Contributor and above roles to delete posts that do no belong to them
Published: 2023-11-20T18:55:07.999Z
Updated: 2024-08-02T08:14:24.001Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5652 |
vulnerable | 2026-06-03 14:53:49.281905 |
WP Hotel Booking < 2.0.8 - Unauthenticated SQLi
The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not escape user input before using it in a SQL statement of a function hooked to admin_init, allowing unauthenticated users to perform SQL injections
Published: 2023-11-20T18:55:06.152Z
Updated: 2024-08-02T08:07:32.460Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5651 |
vulnerable | 2026-06-03 14:53:49.281543 |
WP Hotel Booking < 2.0.8 - Subscriber+ Arbitrary Post Deletion
The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not ensure that the package to be deleted is a package, allowing any authenticated users, such as subscriber to delete arbitrary posts
Published: 2023-11-20T18:55:08.790Z
Updated: 2024-10-01T14:31:01.633Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-36852 |
vulnerable | 2026-06-03 14:44:59.264299 |
WordPress WP Hotel Booking plugin <= 1.10.5 - Cross-Site Request Forgery (CSRF) vulnerability
MEDIUM (4.3)
Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Hotel Booking plugin <= 1.10.5 at WordPress.
Published: 2022-08-22T14:45:47.953Z
Updated: 2026-04-28T16:07:34.320Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-36757 |
vulnerable | 2026-06-03 14:42:39.911230 |
WP Hotel Booking <= 1.10.1 - Cross-Site Request Forgery Bypass
MEDIUM (4.3)
The WP Hotel Booking plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.10.1. This is due to missing or incorrect nonce validation on the admin_add_order_item() function. This makes it possible for unauthenticated attackers to add an order item via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2023-07-12T06:52:35.053Z
Updated: 2026-04-08T17:28:06.837Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-29047 |
vulnerable | 2026-06-03 14:42:22.032876 |
Details available
The wp-hotel-booking plugin through 1.10.2 for WordPress allows remote attackers to execute arbitrary code because of an unserialize operation on the thimpress_hotel_booking_1 cookie in load in includes/class-wphb-sessions.php.
Published: 2021-03-03T17:15:29.000Z
Updated: 2024-08-04T16:48:01.371Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.