CVE-2026-8684
Gravedad CVSS v3.1:
MEDIA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
22/05/2026
Última modificación:
22/05/2026
Descripción
*** Pendiente de traducción *** The MotoPress Hotel Booking plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite or delete the internal notes (_mphb_booking_internal_notes) of any booking by supplying an arbitrary booking ID. The nonce for this action is output in the HTML source of every public page through wp_localize_script (MPHB._data.nonces), so any unauthenticated visitor can obtain a valid nonce and perform the action without any account or prior interaction.
Impacto
Puntuación base 3.x
5.30
Gravedad 3.x
MEDIA
Referencias a soluciones, herramientas e información
- https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/5.4.1/includes/ajax-api/ajax-actions/abstract-ajax-api-action.php#L34
- https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/5.4.1/includes/ajax-api/ajax-actions/update-booking-notes.php#L83
- https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/5.4.1/includes/ajax-api/ajax-api-handler.php#L43
- https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/6.0.1/includes/ajax-api/ajax-actions/abstract-ajax-api-action.php#L34
- https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/6.0.1/includes/ajax-api/ajax-actions/update-booking-notes.php#L83
- https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/6.0.1/includes/ajax-api/ajax-api-handler.php#L43
- https://plugins.trac.wordpress.org/changeset/3537354/motopress-hotel-booking-lite/trunk/includes/ajax-api/ajax-actions/update-booking-notes.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6567e63c-3129-47b2-a734-733eb599821a?source=cve