Security Alert Summary
The WP Hotel Booking plugin is affected by a sensitive information exposure vulnerability (CVE-2025-14075) that allows unauthenticated users to retrieve customer details. The issue is caused by an AJAX action exposed without proper capability checks and protected only by a nonce, which can be used with a valid email address to obtain customer names, addresses, phone numbers, and email addresses.
CVE Details
- CVE ID:
CVE-2025-14075 - Affected component: WP Hotel Booking plugin for WordPress
- Affected versions: All versions up to and including 2.2.7
- Published: January 17, 2026 at 3:16:03 AM
- Last modified: January 17, 2026 at 3:16:03 AM
- CVSS v3.1: Base Score 5.3, Severity MEDIUM
- Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - Attack Vector: NETWORK
- Attack Complexity: LOW
- Privileges Required: NONE
- User Interaction: NONE
- Scope: UNCHANGED
- Confidentiality Impact: LOW
- Integrity Impact: NONE
- Availability Impact: NONE
- Vector:
- CWE / Weakness: CWE-200 (Exposure of Sensitive Information)
Technical Details
The vulnerability exists because the plugin exposes the AJAX action hotel_booking_fetch_customer_info to unauthenticated users and relies solely on a nonce for protection instead of verifying user capabilities. An attacker who can supply a valid email address and a publicly accessible nonce can use that action to retrieve stored customer information, including full names, addresses, phone numbers, and email addresses.
No additional functions, REST endpoints, or checks are specified in the CVE beyond the named AJAX action and the lack of capability checks. The impact is limited to disclosure of the customer data fields described; there is no CVE data indicating modification or destruction of data.
How This Could Impact Your Website
On a site using WP Hotel Booking, an unauthenticated attacker could query the exposed AJAX action with a customer email and a nonce and receive personal contact information. In a small business scenario, staff handling bookings (site owner, reception staff, or an external contractor) may have customer records that include addresses and phone numbers; if that data is exposed, it increases the likelihood of targeted phishing or social engineering against customers or staff.
For example, an attacker could gather a list of guest email addresses and phone numbers and use that information to craft convincing phishing messages to customers or to attempt fraud against staff who recognize guests by name. The vulnerability does not indicate direct account takeover or site-wide compromise, but the disclosure of customer PII is a tangible privacy and reputational risk.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributor-level accounts and any accounts with elevated access.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual behavior, such as repeated requests to AJAX endpoints that return customer data.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.2.7/includes/class-wphb-ajax.php#L192
- https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.2.7/includes/class-wphb-ajax.php#L36
- https://plugins.trac.wordpress.org/browser/wp-hotel-booking/trunk/includes/class-wphb-ajax.php#L192
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3429399%40wp-hotel-booking&new=3429399%40wp-hotel-booking&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1fc4eaec-b5d8-4707-9260-bac02a4b1866?source=cve