WP-Safety

Hotel Booking Security & Risk Analysis

wordpress.org/plugins/nd-booking

Hotel booking, perfect solution for manage Hotel reservations. For Hotel and Travel activities.

5K active installs v3.8 PHP + WP 4.5+ Updated Jun 23, 2025
bookbookinghoteltravel
46
D · High Risk
CVEs total6
Unpatched1
Last CVEDec 31, 2025
Plugin page Download
Safety Verdict

Is Hotel Booking Safe to Use in 2026?

High Risk

Score 46/100

Hotel Booking carries significant security risk with 6 known CVEs, 1 still unpatched. Consider switching to a maintained alternative.

6 known CVEs 1 unpatched Last CVE: Dec 31, 2025Updated 9mo ago
Risk Assessment

The static analysis of "nd-booking" v3.8 reveals a generally strong security posture in terms of code implementation. The absence of dangerous functions, 100% use of prepared statements for SQL queries, and complete output escaping are significant strengths. The plugin also demonstrates good practice with nonce and capability checks present, and a complete lack of unprotected entry points. However, the presence of 11 AJAX handlers, while protected, still contributes to the overall attack surface that needs careful monitoring. File operations and external HTTP requests, although few, are areas where vulnerabilities could potentially be introduced if not handled with extreme care.

The vulnerability history is a major concern, with 6 known CVEs, including 2 critical and 2 high severity ones. The fact that 1 out of these 6 CVEs remains unpatched is a critical security risk. The common vulnerability types, such as Missing Authorization, PHP Remote File Inclusion, and Cross-site Scripting, indicate recurring weaknesses in how the plugin handles user input and access control. The recent date of the last vulnerability (2025-12-31) suggests that these issues are either ongoing or have been addressed very recently, but the unpatched vulnerability is a clear and present danger.

In conclusion, while the current version (v3.8) shows good coding practices in isolation, the historical vulnerability data, particularly the unpatched critical issue, heavily outweighs these positives. This plugin carries a significant risk due to its past security failures and the presence of an outstanding exploit. Users should exercise extreme caution and prioritize patching this vulnerability immediately.

Key Concerns

  • Unpatched CVE
  • Known critical vulnerabilities in history
  • Known high vulnerabilities in history
  • Large attack surface (11 AJAX handlers)
  • File operations present
  • External HTTP requests present
Vulnerabilities
6

Hotel Booking Security Vulnerabilities

CVEs by Year

1 CVE in 2019
2019
1 CVE in 2022
2022
4 CVEs in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Critical
2
High
2
Medium
2

6 total CVEs

CVE-2025-63001medium · 5.3Missing Authorization

Hotel Booking <= 3.8 - Missing Authorization

Dec 31, 2025Unpatched
CVE-2025-53259high · 7.5Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Hotel Booking <= 3.7 - Authenticated (Contributor+) Local File Inclusion

Jun 27, 2025 Patched in 3.8 (6d)
CVE-2025-47498high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Hotel Booking <= 3.6 - Authenticated (Contributor+) Local File Inclusion

May 7, 2025 Patched in 3.7 (7d)
CVE-2025-39526critical · 9.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Hotel Booking <= 3.6 - Unauthenticated Local File Inclusion

Apr 17, 2025 Patched in 3.7 (9d)
CVE-2022-29443medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Hotel Booking < 3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

May 26, 2022 Patched in 3.3 (606d)
CVE-2019-15774critical · 9.6Missing Authorization

ND Booking <= 2.4 - Unauthenticated Arbitrary Options Update

Aug 5, 2019 Patched in 2.5 (1632d)
Code Analysis
Analyzed Mar 16, 2026

Hotel Booking Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
28 prepared
Unescaped Output
3
1101 escaped
Nonce Checks
7
Capability Checks
1
File Operations
2
External Requests
2
Bundled Libraries
0

SQL Query Safety

100% prepared28 total queries

Output Escaping

100% escaped1104 total outputs
Data Flows
All sanitized

Data Flow Analysis

13 flows
<index> (addons\alert\index.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Hotel Booking Attack Surface

Entry Points25
Unprotected0

AJAX Handlers 11

authwp_ajax_nd_booking_get_orders_php_functionaddons\calendar-view\index.php:576
authwp_ajax_nd_booking_import_settings_php_functioninc\admin\import-export\index.php:296
authwp_ajax_nd_booking_add_order_validation_php_functioninc\admin\orders\include\add.php:660
authwp_ajax_nd_booking_final_price_phpinc\shortcodes\nd_booking_booking.php:274
noprivwp_ajax_nd_booking_final_price_phpinc\shortcodes\nd_booking_booking.php:275
authwp_ajax_nd_booking_validate_fields_php_functioninc\shortcodes\nd_booking_booking.php:516
noprivwp_ajax_nd_booking_validate_fields_php_functioninc\shortcodes\nd_booking_booking.php:517
authwp_ajax_nd_booking_woo_phpinc\shortcodes\nd_booking_search_result.php:32
noprivwp_ajax_nd_booking_woo_phpinc\shortcodes\nd_booking_search_result.php:33
authwp_ajax_nd_booking_sorting_phpinc\shortcodes\nd_booking_search_result.php:743
noprivwp_ajax_nd_booking_sorting_phpinc\shortcodes\nd_booking_search_result.php:744

Shortcodes 14

[nd_booking_ss_branches] addons\shortcodes\branches\index.php:109
[nd_booking_ss_rooms] addons\shortcodes\rooms\index.php:65
[nd_booking_branches_pg] addons\visual\branches\index.php:5
[nd_booking_order] addons\visual\order\index.php:5
[nd_booking_rooms_pg] addons\visual\rooms\index.php:5
[nd_booking_search] addons\visual\search\index.php:5
[nd_booking_steps] addons\visual\steps\index.php:5
[nd_booking_login] inc\shortcodes\include\account\nd_booking_login.php:32
[nd_booking_register] inc\shortcodes\include\account\nd_booking_register.php:279
[nd_booking_account] inc\shortcodes\nd_booking_account.php:325
[nd_booking_booking] inc\shortcodes\nd_booking_booking.php:241
[nd_booking_checkout] inc\shortcodes\nd_booking_checkout.php:529
[nd_booking_order_info] inc\shortcodes\nd_booking_order.php:154
[nd_booking_search_results] inc\shortcodes\nd_booking_search_result.php:473
WordPress Hooks 77
actioninitaddons\alert\index.php:28
actionadd_meta_boxesaddons\alert\index.php:37
actionsave_postaddons\alert\index.php:257
actionnicdark_footer_ndaddons\alert\index.php:316
actionnd_booking_add_menu_page_after_orderaddons\calendar-view\index.php:6
actioninitaddons\coupon\index.php:28
actionadd_meta_boxesaddons\coupon\index.php:35
actionsave_postaddons\coupon\index.php:91
actioncustomize_registeraddons\customizer\index.php:5
actioncustomize_registeraddons\customizer\plugin-colors\index.php:4
actionwp_headaddons\customizer\plugin-colors\index.php:186
actionadmin_headaddons\customizer\plugin-colors\index.php:223
actioncustomize_registeraddons\customizer\styles\index.php:4
actionwp_headaddons\customizer\styles\index.php:61
actioninitaddons\elementor\index.php:20
actionplugins_loadedaddons\elementor\index.php:21
actionadmin_noticesaddons\elementor\index.php:28
actionadmin_noticesaddons\elementor\index.php:30
actionadmin_noticesaddons\elementor\index.php:32
actionelementor/widgets/widgets_registeredaddons\elementor\index.php:34
actionelementor/elements/categories_registeredaddons\elementor\index.php:102
actionnd_booking_single_cpt_1_tab_listaddons\integration\index.php:9
actionnd_booking_single_cpt_1_tab_contentaddons\integration\index.php:42
actionsave_postaddons\integration\index.php:151
actionnd_booking_add_settings_groupaddons\message\index.php:9
actionnd_booking_add_setting_on_main_pageaddons\message\index.php:15
actionnd_booking_reservation_added_in_dbaddons\message\index.php:457
actionnd_booking_add_addons_settings_groupaddons\stripe\index.php:5
actionnd_booking_add_setting_on_payment_methods_addonsaddons\stripe\index.php:14
actionnd_booking_add_setting_on_register_payment_messageaddons\stripe\index.php:53
actionnd_booking_add_setting_on_payment_messageaddons\stripe\index.php:65
actionvc_before_initaddons\visual\branches\index.php:71
actionvc_before_initaddons\visual\order\index.php:72
actionvc_before_initaddons\visual\rooms\index.php:98
actionvc_before_initaddons\visual\search\index.php:63
actionvc_before_initaddons\visual\steps\index.php:78
actionnd_booking_add_addons_settings_groupaddons\wpml\index.php:5
actionnd_booking_add_setting_on_main_addonsaddons\wpml\index.php:11
actionnd_booking_single_cpt_1_tab_listaddons\wpml\index.php:50
actionnd_booking_single_cpt_1_tab_contentaddons\wpml\index.php:78
actionadmin_menuinc\admin\addons-manager\index.php:6
actionadmin_initinc\admin\addons-manager\index.php:10
actionadmin_menuinc\admin\demos\index.php:3
actionadmin_menuinc\admin\import-export\index.php:4
actionadmin_menuinc\admin\orders\include\add.php:4
actionadmin_menuinc\admin\orders\index.php:3
actionadmin_menuinc\admin\plugin-settings.php:5
actionadmin_initinc\admin\plugin-settings.php:9
actionnd_booking_add_menu_settingsinc\admin\plugin-settings.php:530
actionadmin_initinc\admin\plugin-settings.php:534
actionadmin_menuinc\admin\premium-addons\index.php:8
actioninitinc\cpt\cpt-1.php:21
actionwidgets_initinc\cpt\cpt-1.php:38
actioninitinc\cpt\cpt-2.php:21
actioninitinc\cpt\cpt-3.php:23
actioninitinc\cpt\cpt-4.php:21
actionadd_meta_boxesinc\metabox\mtb-cpt-1.php:12
actionsave_postinc\metabox\mtb-cpt-1.php:790
actionadd_meta_boxesinc\metabox\mtb-cpt-2.php:6
actionsave_postinc\metabox\mtb-cpt-2.php:233
actionadd_meta_boxesinc\metabox\mtb-cpt-3.php:6
actionsave_postinc\metabox\mtb-cpt-3.php:155
actionadd_meta_boxesinc\metabox\mtb-cpt-4.php:6
actionsave_postinc\metabox\mtb-cpt-4.php:250
actionnd_booking_shortcode_account_tab_listinc\shortcodes\nd_booking_account.php:335
actionnd_booking_shortcode_account_tab_list_contentinc\shortcodes\nd_booking_account.php:548
actionwoocommerce_thankyouinc\shortcodes\nd_booking_search_result.php:38
actionwoocommerce_after_order_notesinc\shortcodes\nd_booking_search_result.php:153
actionwoocommerce_checkout_processinc\shortcodes\nd_booking_search_result.php:219
actionwoocommerce_checkout_update_order_metainc\shortcodes\nd_booking_search_result.php:239
actionwoocommerce_admin_order_data_after_billing_addressinc\shortcodes\nd_booking_search_result.php:256
actionplugins_loadednd-booking.php:19
actionwp_enqueue_scriptsnd-booking.php:75
actionadmin_enqueue_scriptsnd-booking.php:84
filtersingle_templatend-booking.php:99
filtersingle_templatend-booking.php:110
actionafter_switch_themend-booking.php:116
Maintenance & Trust

Hotel Booking Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedJun 23, 2025
PHP min version
Downloads82K

Community Trust

Rating70/100
Number of ratings8
Active installs5K
Alternatives

Hotel Booking Alternatives

Booking.com Product Helper

Booking.com Product Helper

bookingcom-product-helper

A
85

The Booking.com Product Helper allows you to embed any Booking.com affiliate product anywhere on your website.

2K 1 CVE
Tourfic – Travel Booking, Hotel Booking & Car Rental WordPress Plugin

Tourfic – Travel Booking, Hotel Booking & Car Rental WordPress Plugin

tourfic

A
93

Hotel, Travel, Car Rental & Tour Booking WordPress plugin. Build a website like Agoda, Booking.com, Airbnb, Enterprise, Avis with WooCommerce

2K 8 CVEs
CC Travel

CC Travel

cc-travel

A
85

CC Travel is a free plugin for WordPress. If you are owning a travel website, just try CC Travel to add destinations, tours and initerary, departure d &hellip;

10 No CVEs
Wink Affiliate WordPress Plugin

Wink Affiliate WordPress Plugin

wink2travel

A
92

Integrates WordPress with your Wink account. Learn more at https://studio.wink.travel.

0 No CVEs
WP Travel Engine – Tour Booking Plugin – Tour Operator Software

WP Travel Engine – Tour Booking Plugin – Tour Operator Software

wp-travel-engine

B
76

WP Travel Engine is the most popular tour and travel booking WordPress plugin. Used by over 20,000 travel agency websites.

20K 13 CVEs
Developer Profile

Hotel Booking Developer Profile

nicdark

4 plugins · 35K total installs

64
trust score
Avg Security Score
79/100
Avg Patch Time
461 days
View full developer profile
Detection Fingerprints

How We Detect Hotel Booking

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/nd-booking/assets/css/style.css/wp-content/plugins/nd-booking/assets/css/admin-style.css
Script Paths
/wp-content/plugins/nd-booking/assets/css/style.css/wp-content/plugins/nd-booking/assets/css/admin-style.css
Version Parameters
nd-booking/style.css?ver=nd-booking/admin-style.css?ver=

HTML / DOM Fingerprints

CSS Classes
nd_booking_metabox_cpt_alert
JS Globals
nd_booking_meta_box_alert_textnd_booking_meta_box_alert_colornd_booking_meta_box_alert_iconnd_booking_meta_box_alert_timend_booking_meta_box_alert_pages
FAQ

Frequently Asked Questions about Hotel Booking