CVE-2025-14075 identifies a sensitive information exposure vulnerability in the WP Hotel Booking plugin for WordPress, affecting all versions up to and including 2.2.7. The root cause is the exposure of the AJAX action 'hotel_booking_fetch_customer_info' to unauthenticated users without adequate capability checks. The plugin relies solely on a nonce for protection, which is insufficient because nonces are often publicly accessible or can be reused, allowing attackers to bypass authentication controls. By providing a valid email address and a nonce, an attacker can retrieve sensitive customer data such as full names, physical addresses, phone numbers, and email addresses. This vulnerability falls under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS v3.1 base score is 5.3 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required, no user interaction, and limited impact confined to confidentiality. There are no known exploits in the wild, and no patches have been linked yet. The vulnerability poses significant privacy risks, especially for organizations handling European customer data subject to GDPR. The exposure of personally identifiable information (PII) could lead to identity theft, phishing, or targeted social engineering attacks. The plugin is widely used in hotel and hospitality websites, which are common in Europe’s tourism-dependent economies. The lack of proper authorization checks in the AJAX endpoint is a critical design flaw that must be addressed by enforcing capability checks and improving nonce validation or replacing nonce-based protection with stronger authentication mechanisms.

The primary impact of CVE-2025-14075 is the unauthorized disclosure of sensitive customer information, including full names, addresses, phone numbers, and email addresses. For European organizations, this represents a significant privacy risk and potential violation of GDPR requirements, which mandate strict protection of personal data. Exposure of such data can lead to identity theft, fraud, phishing campaigns, and reputational damage. Hospitality and tourism sectors, which heavily rely on online booking systems, are particularly vulnerable. The breach of customer trust could result in financial penalties and loss of business. Although the vulnerability does not affect system integrity or availability, the confidentiality breach alone can have severe legal and operational consequences. Since the vulnerability requires no authentication or user interaction, exploitation can be automated and widespread if attackers discover valid nonces. This increases the risk of large-scale data leaks. European organizations using the WP Hotel Booking plugin must consider the impact on their compliance posture and customer privacy.

1. Apply patches or updates from the plugin vendor as soon as they become available to fix the authorization flaw. 2. Until a patch is released, restrict access to the AJAX endpoint by implementing web application firewall (WAF) rules that block unauthenticated requests to 'hotel_booking_fetch_customer_info'. 3. Disable or remove the WP Hotel Booking plugin if it is not essential or replace it with a more secure alternative. 4. Implement server-side capability checks to ensure only authenticated and authorized users can access sensitive AJAX actions. 5. Avoid relying solely on nonces for security; combine with user authentication and role-based access controls. 6. Monitor web server logs for suspicious access patterns targeting the vulnerable AJAX action. 7. Conduct regular security audits and penetration tests on WordPress plugins, especially those handling personal data. 8. Inform customers and comply with GDPR breach notification requirements if unauthorized data access is suspected. 9. Educate staff and developers about secure coding practices to prevent similar vulnerabilities. 10. Consider network segmentation and limiting public exposure of booking system endpoints.