CVE-2026-8684 – MotoPress Hotel Booking

CVE ID :CVE-2026-8684

Published : May 22, 2026, 9:16 a.m. | 45 minutes ago

Description :The MotoPress Hotel Booking plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite or delete the internal notes (_mphb_booking_internal_notes) of any booking by supplying an arbitrary booking ID. The nonce for this action is output in the HTML source of every public page through wp_localize_script (MPHB._data.nonces), so any unauthenticated visitor can obtain a valid nonce and perform the action without any account or prior interaction.

Severity: 5.3 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-9011 – Ditty

CVE-2026-8692 – Vedrixa Forms

CVE-2026-8679 – AudioIgniter Music Player

CVE-2026-8381 – Broken Access Control in TeamViewer DEX Platform (On Premises)