CVE-2026-9822

UNKNOWN NVD

CVSS Score 0

Severity UNKNOWN

Published Jun 19, 2026

Vendor unknown

Description

The WP Hotel Booking WordPress plugin before 2.3.1 does not enforce capability checks in several of its AJAX handlers, allowing authenticated users with Subscriber-level access to read other users' booking line items, enumerate active coupons, and read pricing data.

References

https://wpscan.com/vulnerability/107fe41a-c5d9-4547-b413-bbd77cbab986/