CVE-2026-9822 – WP Hotel Booking < 2.3.1 – Subscriber+ Missing Authorization in Multiple AJAX Handlers

CVE ID :CVE-2026-9822

Published : June 19, 2026, 6 a.m. | 1 hour, 43 minutes ago

Description :The WP Hotel Booking WordPress plugin before 2.3.1 does not enforce capability checks in several of its AJAX handlers, allowing authenticated users with Subscriber-level access to read other users’ booking line items, enumerate active coupons, and read pricing data.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…