CVE-2025-14075
📋 TL;DR
The WP Hotel Booking WordPress plugin exposes sensitive customer information to unauthenticated attackers. By providing a valid email address and a publicly accessible nonce, attackers can retrieve full names, addresses, phone numbers, and email addresses. All WordPress sites using WP Hotel Booking version 2.2.7 or earlier are affected.
💻 Affected Systems
- WP Hotel Booking WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Mass data breach exposing all customer PII (names, addresses, phone numbers, emails) leading to identity theft, phishing campaigns, and regulatory fines.
Likely Case
Targeted data harvesting of customer information for spam, phishing, or credential stuffing attacks.
If Mitigated
Limited exposure if nonces are not publicly accessible, but risk remains due to weak authentication design.
🎯 Exploit Status
Exploitation requires only a valid email address and nonce, both often publicly accessible in WordPress.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.8 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP Hotel Booking and click 'Update Now'. 4. Verify version is 2.2.8 or higher.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the 'hotel_booking_fetch_customer_info' AJAX action via .htaccess or plugin modification.
# Add to .htaccess:
<Files "class-wphb-ajax.php">
Order Allow,Deny
Deny from all
</Files>
🧯 If You Can't Patch
- Disable WP Hotel Booking plugin immediately until patched.
- Implement web application firewall (WAF) rules to block requests to 'hotel_booking_fetch_customer_info' endpoint.
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed Plugins. If WP Hotel Booking is version 2.2.7 or earlier, it's vulnerable.Check Version:
wp plugin list --name="WP Hotel Booking" --field=versionVerify Fix Applied:
After update, confirm plugin version shows 2.2.8 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with action=hotel_booking_fetch_customer_info from unauthenticated IPs
- Unusual volume of admin-ajax.php requests
Network Indicators:
- POST requests to admin-ajax.php with 'hotel_booking_fetch_customer_info' parameter
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND post_data="hotel_booking_fetch_customer_info" AND user_agent NOT CONTAINS "WordPress"🔗 References
- https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.2.7/includes/class-wphb-ajax.php#L192
- https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.2.7/includes/class-wphb-ajax.php#L36
- https://plugins.trac.wordpress.org/browser/wp-hotel-booking/trunk/includes/class-wphb-ajax.php#L192
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3429399%40wp-hotel-booking&new=3429399%40wp-hotel-booking&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1fc4eaec-b5d8-4707-9260-bac02a4b1866?source=cve
