CVE-2025-14075 in WP Hotel Booking Plugin
Summary
by MITRE • 01/17/2026
The WP Hotel Booking plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.7. This is due to the plugin exposing the 'hotel_booking_fetch_customer_info' AJAX action to unauthenticated users without proper capability checks, relying only on a nonce for protection. This makes it possible for unauthenticated attackers to retrieve sensitive customer information including full names, addresses, phone numbers, and email addresses by providing a valid email address and a publicly accessible nonce.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/18/2026
The WP Hotel Booking plugin for WordPress presents a critical sensitive information exposure vulnerability that affects all versions up to and including 2.2.7. This flaw resides in the plugin's handling of the 'hotel_booking_fetch_customer_info' AJAX action which is designed to retrieve customer data but fails to implement proper authentication checks. The vulnerability stems from the plugin's reliance on a nonce mechanism alone for protection rather than implementing comprehensive capability verification. Attackers can exploit this weakness by simply providing a valid email address and a publicly accessible nonce to gain access to sensitive customer information. The exposed data includes full names, physical addresses, phone numbers, and email addresses which constitutes a significant privacy breach and potential vector for identity theft or social engineering attacks. This vulnerability directly maps to CWE-200 which defines improper exposure of sensitive information and represents a fundamental flaw in the plugin's access control implementation.
The technical exploitation of this vulnerability occurs through the manipulation of the AJAX endpoint that handles customer information retrieval. Since the plugin does not verify user capabilities before processing the request, any unauthenticated user can submit a request to the 'hotel_booking_fetch_customer_info' action. The system only validates the presence and validity of a nonce parameter while completely ignoring the authenticated user context that should normally be required for such sensitive operations. This design flaw allows attackers to systematically gather customer data by leveraging publicly available nonces that are typically generated for legitimate plugin functionality but are not properly secured against unauthorized access. The vulnerability essentially creates an information disclosure channel that bypasses normal WordPress authentication mechanisms and user role restrictions.
The operational impact of this vulnerability extends beyond simple data exposure to encompass potential regulatory compliance violations and reputational damage for affected businesses. Organizations using the WP Hotel Booking plugin face significant risk of violating data protection regulations such as gdpr, ccpa, and other privacy frameworks that mandate proper handling of personal information. The exposure of customer contact details creates opportunities for phishing attacks, spam campaigns, and other malicious activities that could harm both the business and its customers. Additionally, the vulnerability may enable attackers to perform reconnaissance activities by gathering information about the customer base, potentially leading to more sophisticated attacks targeting specific individuals or groups within the organization's user community. This type of vulnerability aligns with ATT&CK technique T1567 which describes the exploitation of information disclosure vulnerabilities to gain access to sensitive data.
Mitigation strategies for this vulnerability should focus on implementing proper authentication checks and access controls for all AJAX actions that handle sensitive data. Plugin developers should ensure that all endpoints requiring customer information access enforce capability checks using WordPress's built-in user role verification systems. The nonce validation should be complemented with proper user authentication rather than serving as the sole security mechanism. Organizations should immediately update to the latest version of the plugin once available, implement monitoring for unauthorized access attempts to AJAX endpoints, and consider restricting access to sensitive data through additional layers of security. Network-level monitoring should be implemented to detect unusual patterns of information requests that may indicate exploitation attempts. The vulnerability also highlights the importance of proper security testing during plugin development, particularly around access control mechanisms and data exposure points.