Privilege Escalation Vulnerability in WP Hotel Booking Plugin
CVE-2026-9822

Currently unrated

Key Information:

Vendor: WordPress
Status: WP Hotel Booking
Vendor: CVE Published:; 19 June 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-9822?

The WP Hotel Booking plugin, prior to version 2.3.1, has a vulnerability that lacks sufficient capability checks in several AJAX handlers. This oversight allows users with only Subscriber-level access to access sensitive data, such as other users' booking line items, active coupon codes, and pricing information. As a result, the absence of these checks may lead to unauthorized data manipulation and exposure, posing significant risks to user privacy and data integrity.

Affected Version(s)

WP Hotel Booking 0 < 2.3.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-9822 - Proof of Concept

References

https://wpscan.com/vulnerability/107fe41a-c5d9-4547-b413-...

exploitvdb-entrytechnical-description

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 19, 2026
👾
Exploit known to exist
Jun 19, 2026
Vulnerability published
Jun 19, 2026
Vulnerability Reserved
May 28, 2026

Credit

Sanjorn Keeratirungsan

WPScan

CVE-2026-9822 Data

JSON

WordPress