vulnerability
WordPress Plugin: wp-hotel-booking: CVE-2023-5799: Incorrect Authorization
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:L/Au:S/C:N/I:P/A:N) | Oct 26, 2023 | May 15, 2025 | Jul 10, 2025 |
Severity
4
CVSS
(AV:N/AC:L/Au:S/C:N/I:P/A:N)
Published
Oct 26, 2023
Added
May 15, 2025
Modified
Jul 10, 2025
Description
The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to insufficient authorization checks on the tp_extra_package_remove() function hooked via AJAX in all versions up to, and including, 2.0.7. This makes it possible for authenticated attackers, with contributor-level access and above, to delete arbitrary posts. While the patch for CVE-2023-5651 ensured subscriber-level users couldn't delete arbitrary posts, the checks were not sufficient in preventing higher authenticated users such as contributors from deleting arbitrary posts.
Solution
wp-hotel-booking-plugin-cve-2023-5799
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.