CVE-2025-63001

Hotel Booking <= 3.8 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Hotel Booking plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.8. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.8
PublishedDecember 31, 2025
Last updatedJanuary 5, 2026
Affected pluginnd-booking
Research Plan
Unverified

This research plan outlines the process for identifying and exploiting **CVE-2025-63001**, a missing authorization vulnerability in the **Hotel Booking (nd-booking)** plugin for WordPress (versions ≤ 3.8). --- ### 1. Vulnerability Summary The **Hotel Booking** plugin (slug: `nd-booking`) fails to …

Show full research plan

This research plan outlines the process for identifying and exploiting CVE-2025-63001, a missing authorization vulnerability in the Hotel Booking (nd-booking) plugin for WordPress (versions ≤ 3.8).


1. Vulnerability Summary

The Hotel Booking plugin (slug: nd-booking) fails to implement proper capability checks (authorization) on specific AJAX handlers or initialization functions. This allows unauthenticated users to trigger functions intended for administrators. Given the CVSS (5.3) and Integrity: Low rating, the vulnerability likely allows an attacker to modify non-critical plugin settings or metadata rather than achieving full site takeover.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php (for AJAX-based issues) or /wp-admin/admin-post.php (for form-based issues).
  • Action Parameter: The action variable in the POST request triggers the vulnerable function.
  • Authentication: None required (unauthenticated).
  • Preconditions: The plugin must be active. A valid WordPress nonce for the specific action may be required if a check_ajax_referer call exists without an accompanying current_user_can check.

3. Code Flow (Identification Phase)

To ground the research, the agent must first identify the specific vulnerable function using these steps:

  1. Locate AJAX Handlers: Search for unauthenticated AJAX registrations in the plugin directory.
    grep -r "wp_ajax_nopriv_nd_booking_" /var/www/html/wp-content/plugins/nd-booking/
    
  2. Verify Missing Authorization: For each function discovered in Step 1, check if it lacks a current_user_can() check.
    • Example target: nd_booking_save_settings_php_function (inferred) or nd_booking_update_status_php_function (inferred).
  3. Trace Logic: Look for functions that use update_option(), wp_update_post(), or $wpdb->update() without verifying the user's role.

4. Nonce Acquisition Strategy

If the identified function calls check_ajax_referer('some_action_string', 'some_nonce_key'), the agent must obtain a nonce. Since nonces are user-bound (UID 0 for unauthenticated), the agent can extract one from the frontend.

  1. Identify Shortcode: Find a shortcode that enqueues the plugin's frontend scripts. Common nd-booking shortcodes include [nd_booking_search_form] or [nd_booking_calendar].
  2. Setup Page: Create a temporary public page containing the shortcode:
    wp post create --post_type=page --post_status=publish --post_title="Booking Test" --post_content='[nd_booking_search_form]'
    
  3. Extract Nonce: Use the browser to find the localized script data.
    • Search the plugin source for wp_localize_script. Look for the object name (e.g., nd_booking_my_js_vars).
    • Use browser_eval to extract the nonce:
      // Example (inferred variable names)
      window.nd_booking_ajax_object?.nd_booking_nonce
      

5. Exploitation Strategy

Once the action and nonce are identified, perform the following:

  1. Construct Request:
    • Method: POST
    • URL: http://localhost:8080/wp-admin/admin-ajax.php
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body:
      action=nd_booking_VULNERABLE_ACTION&nd_booking_nonce=EXTRACTED_NONCE&param_to_change=malicious_value
      
  2. Target Selection (Inferred):
    If the vulnerability is in a settings update function, the goal is to change a plugin setting like nd_booking_currency or nd_booking_recipient_email.

6. Test Data Setup

  1. Plugin Install: Ensure nd-booking v3.8 is installed and activated.
  2. Configuration: Configure at least one "Room" or "Accommodation" post type to ensure the plugin's logic is fully initialized.
  3. Public Page: Create the page mentioned in Section 4 to facilitate nonce extraction.

7. Expected Results

  • Success Indicator: The HTTP response returns a 200 OK or a JSON success message (e.g., {"success":true}).
  • Integrity Impact: A plugin setting or post metadata is modified in the database.

8. Verification Steps

After sending the exploit request, verify the change via WP-CLI:

# If an option was changed:
wp option get nd_booking_specific_setting_name

# If post meta was changed:
wp post meta list <POST_ID> --keys=nd_booking_target_meta

9. Alternative Approaches

  • Missing Nonce Check: If the code uses wp_ajax_nopriv_ but also neglects to call check_ajax_referer, the exploit can be performed without Section 4.
  • admin_init Hook: Check for functions hooked to admin_init in nd-booking.php. These functions run on every admin-ajax.php request, even for unauthenticated users. If such a function processes $_POST data without a capability check, it is an alternative entry point.
    grep -r "add_action.*admin_init" /var/www/html/wp-content/plugins/nd-booking/
    
Research Findings
Static analysis — not yet PoC-verified

Summary

The Hotel Booking plugin for WordPress is vulnerable to unauthorized access in versions up to and including 3.8 due to missing capability checks on AJAX handlers or administrative initialization functions. This allows unauthenticated attackers to perform unauthorized actions, such as modifying plugin settings or post metadata, which are typically restricted to administrators.

Exploit Outline

The exploit targets the WordPress AJAX endpoint at '/wp-admin/admin-ajax.php'. An attacker identifies a vulnerable action registered via 'wp_ajax_nopriv_' (e.g., related to saving settings or updating statuses) that lacks a 'current_user_can()' check. If the function implements a nonce check, the attacker retrieves a valid unauthenticated nonce from the site's frontend, where it is often localized in script data (e.g., 'nd_booking_ajax_object.nd_booking_nonce') on pages containing plugin shortcodes like '[nd_booking_search_form]'. The attacker then sends a POST request with the action, the nonce, and the malicious parameters to modify site configurations or metadata without authentication.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.