CVE-2026-15094 in WP Hotel Booking Plugininfo

Summary

by MITRE • 07/17/2026

The WP Hotel Booking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'check_in_date' parameter in all versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/17/2026

The WP Hotel Booking plugin for WordPress represents a widely used solution for managing hotel reservations and bookings within wordpress environments, yet it contains a critical reflected cross-site scripting vulnerability that affects all versions up to and including 2.3.2. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's codebase, specifically targeting the 'check_in_date' parameter which is processed through user-supplied inputs. The flaw allows malicious actors to inject arbitrary web scripts into pages that will execute when users navigate to affected URLs, creating a significant security risk for website administrators and their visitors.

The technical nature of this vulnerability places it firmly within the scope of CWE-79, which defines cross-site scripting as a common weakness where untrusted data is improperly escaped before being returned to users. The reflected nature of the vulnerability means that the malicious script is reflected off the web server rather than being stored, making it particularly dangerous for unauthenticated attackers who can leverage this weakness through social engineering tactics. Attackers typically construct malicious URLs containing crafted payloads in the check_in_date parameter and then distribute these links to unsuspecting users through phishing campaigns or by embedding them in compromised websites.

The operational impact of this vulnerability extends beyond simple script injection, as it creates potential pathways for more sophisticated attacks including session hijacking, credential theft, and redirection to malicious sites. When users click on the crafted links, their browsers execute the injected scripts within the context of the vulnerable website, potentially allowing attackers to access cookies, session tokens, or other sensitive information that could be used to compromise user accounts or gain unauthorized access to administrative functions. The reflected nature means that each attack must be individually crafted and delivered to specific targets rather than being persistent across the entire website.

Mitigation strategies for this vulnerability should include immediate patching of the WP Hotel Booking plugin to version 2.3.3 or later, which contains the necessary input sanitization fixes and output escaping improvements. Security administrators should also implement additional protective measures such as content security policies that restrict script execution on the affected pages, regular monitoring of website traffic for suspicious parameter usage, and user education regarding the dangers of clicking unverified links. Organizations should consider implementing web application firewalls to detect and block malicious payloads targeting this specific vulnerability. The ATT&CK framework categorizes this weakness under T1203 - Exploitation for Client Execution, highlighting the importance of proper input validation and output escaping in preventing such client-side attacks that can escalate into more serious security incidents including persistent threats and data exfiltration operations.

Responsible

Wordfence

Reservation

07/08/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you know our Splunk app?

Download it now for free!