Security Alert Summary
The WP Hotel Booking plugin for WordPress has a reflected cross-site scripting (XSS) vulnerability in the check_in_date parameter in versions up to and including 2.3.2. Insufficient input sanitization and output escaping may allow an unauthenticated attacker to inject web scripts that execute in a victim’s browser if the victim is tricked into clicking a crafted link.
CVE Details
- CVE ID:
CVE-2026-15094 - Affected component: WP Hotel Booking plugin (parameter:
check_in_date) - Affected versions: All versions up to, and including, 2.3.2
- Published: July 17, 2026 at 6:16:36 AM UTC
- Last modified: July 17, 2026 at 2:59:38 PM UTC
- CVSS v3.1: Base score 6.1, MEDIUM severity; Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - Authentication / Privileges / User interaction: No authentication or privileges required (PR:N); user interaction required (UI:R).
- Impact: Confidentiality: LOW; Integrity: LOW; Availability: NONE.
- Weakness: CWE-79 (Improper Neutralization of Input During Web Page Generation / Cross-site Scripting)
Technical Details
This is a reflected XSS vulnerability caused by insufficient input sanitization and output escaping of the check_in_date parameter. When the plugin reflects this parameter in page output without proper escaping, an attacker can craft a URL containing malicious script payloads. If a user visits or clicks that URL, the injected script can execute in the context of the user’s browser and the affected site.
References in the disclosure point to template and helper code locations within the plugin (for example, files such as ArchiveRoomTemplate.php, class-wphb-helpers.php, and wphb-functions.php), indicating the issue is related to how input is handled and rendered in templates. The vulnerability does not require an authenticated user, but it does require that a victim performs an action such as clicking a crafted link.
Impact is limited to what can be achieved via script execution in a user’s browser (for example, reading or manipulating content available to the page, performing actions available to the user in the page context, or exfiltrating data accessible to the browser). The provided CVSS metrics indicate confidentiality and integrity impacts are low and availability is not affected.
How This Could Impact Your Website
Consider a site with a site owner (administrator), internal staff members (editors or authors), and external contractors or contributors who may access public links or preview pages. An attacker could send a crafted URL that includes a malicious check_in_date value to any of these users. If a user clicks the link, the script could run in their browser and potentially expose data shown on the page or perform actions available to that user in the site context.
Practical consequences include exposure of internal user email addresses or other data presented on the affected pages and an increased risk of targeted phishing or social engineering against staff who have elevated access. The vulnerability requires user interaction, so successful exploitation depends on tricking a user into clicking a malicious link.
professional review may help if you are unsure whether your site is affected or how to assess your current user roles and plugins.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributors and other low-trust roles that can be targeted.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual behavior, including unexpected parameter values and requests.
If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.2/includes/TemplateHooks/ArchiveRoomTemplate.php#L262
- https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.2/includes/TemplateHooks/ArchiveRoomTemplate.php#L54
- https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.2/includes/class-wphb-helpers.php#L29
- https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.2/includes/wphb-functions.php#L733
- https://plugins.trac.wordpress.org/changeset?reponame=&old=3609563%40wp-hotel-booking&new=3609563%40wp-hotel-booking
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8139f512-7bc9-45ae-83d7-bf496e1ad56d?source=cve