CVE-2024-12370 is an improper access control vulnerability identified in the WP Hotel Booking plugin for WordPress, developed by thimpress. The vulnerability exists in all versions up to and including 2.1.5. The root cause is a missing capability check when adding rooms, which means the plugin fails to verify whether the user has the necessary permissions before allowing the addition of new rooms with custom prices. This flaw allows unauthenticated attackers—meaning no login or credentials are required—to remotely add rooms to the booking system. The attack vector is network-based and requires no user interaction, making exploitation relatively straightforward. The vulnerability is classified under CWE-284, which pertains to improper access control, and has a CVSS v3.1 base score of 5.3 (medium severity). The CVSS vector indicates no impact on confidentiality or availability but a low impact on integrity, as attackers can alter booking data by adding unauthorized rooms. There are no patches or updates currently linked, and no known exploits have been observed in the wild. This vulnerability poses a risk to the integrity of hotel booking data, potentially leading to fraudulent bookings, pricing manipulation, or disruption of business operations relying on accurate room inventory.

The primary impact of CVE-2024-12370 is on data integrity within the WP Hotel Booking plugin. Unauthorized addition of rooms with custom prices can lead to fraudulent bookings, financial losses, and reputational damage for affected organizations. Attackers could manipulate room availability and pricing, potentially confusing customers or causing revenue leakage. While confidentiality and availability are not directly affected, the integrity compromise can disrupt business processes and trust in the booking system. Organizations relying on this plugin for managing hotel room inventory and pricing are at risk of operational disruption and financial fraud. The ease of exploitation—no authentication or user interaction required—raises the likelihood of automated attacks targeting vulnerable sites. This threat is particularly relevant for businesses in the hospitality and tourism sectors using WordPress with the WP Hotel Booking plugin.

To mitigate CVE-2024-12370, organizations should immediately verify if they are using the WP Hotel Booking plugin version 2.1.5 or earlier and plan to upgrade to a patched version once available. In the absence of an official patch, administrators should implement the following specific measures: 1) Restrict access to the plugin’s room management endpoints by configuring web application firewalls (WAFs) or server-level access controls to allow only trusted IP addresses or authenticated users. 2) Employ WordPress security plugins that can enforce capability checks or monitor unauthorized changes to booking data. 3) Regularly audit booking data for anomalies such as unexpected room additions or pricing changes. 4) Disable or remove the WP Hotel Booking plugin if it is not essential to reduce attack surface. 5) Monitor logs for suspicious POST requests targeting room addition functions. 6) Engage with the plugin vendor or community to track patch releases and apply updates promptly. These targeted actions go beyond generic advice by focusing on access restriction, monitoring, and proactive auditing tailored to this vulnerability’s characteristics.