CVE-2024-13447 is a vulnerability identified in the WP Hotel Booking plugin for WordPress, developed by thimpress. The issue stems from a missing authorization (capability) check on the AJAX action named hotel_booking_load_order_user. This flaw exists in all versions up to and including 2.1.6. Because of this missing check, any authenticated user with at least Subscriber-level access can invoke this AJAX endpoint to retrieve a list of registered user email addresses. The vulnerability does not require elevated privileges beyond Subscriber, nor does it require user interaction, making it relatively easy to exploit remotely. The vulnerability is classified under CWE-862 (Missing Authorization), indicating that the system fails to enforce proper access control before allowing access to sensitive data. The CVSS v3.1 base score is 4.3, reflecting a medium severity level primarily due to confidentiality impact without affecting integrity or availability. No patches were linked at the time of reporting, and no known exploits have been observed in the wild. This vulnerability can lead to privacy violations and potentially facilitate targeted phishing or social engineering attacks by exposing user email addresses. It is particularly relevant for websites in the hospitality sector using this plugin to manage hotel bookings and customer data.

The primary impact of CVE-2024-13447 is the unauthorized disclosure of registered user email addresses from websites using the WP Hotel Booking plugin. This breach of confidentiality can lead to increased risk of phishing, spam, and social engineering attacks targeting users of affected websites. While the vulnerability does not allow modification or deletion of data, nor does it affect system availability, the exposure of user emails can undermine user trust and violate privacy regulations such as GDPR or CCPA. Organizations relying on this plugin for booking management may face reputational damage and potential legal consequences if user data is mishandled. The ease of exploitation by low-privilege authenticated users increases the risk, especially on sites that allow open registration or have many Subscriber-level accounts. The scope is limited to websites running the vulnerable plugin versions, but given WordPress's widespread use and the popularity of this plugin in the hospitality industry, the number of affected sites could be significant globally.

To mitigate this vulnerability, organizations should immediately update the WP Hotel Booking plugin to a version where the authorization check is properly implemented once available. Until an official patch is released, administrators should restrict user registration or downgrade user privileges to limit Subscriber-level access where possible. Implementing web application firewall (WAF) rules to monitor and block unauthorized AJAX requests to hotel_booking_load_order_user can reduce exploitation risk. Additionally, reviewing and tightening WordPress user role permissions to minimize unnecessary Subscriber accounts can help. Monitoring logs for unusual access patterns to the AJAX endpoint may provide early detection of exploitation attempts. Educating users about phishing risks and enforcing strong email security policies will mitigate downstream risks from exposed email addresses. Finally, organizations should consider conducting a privacy impact assessment and notify affected users if a data breach is suspected.