The WP Hotel Booking plugin by Thimpress, widely used for managing hotel reservations on WordPress sites, contains a vulnerability identified as CVE-2025-14075. This vulnerability is classified under CWE-200, indicating exposure of sensitive information to unauthorized actors. The root cause is the improper access control on the AJAX action 'hotel_booking_fetch_customer_info', which is accessible without authentication or proper capability checks. Instead, the plugin relies solely on a nonce for security, which is insufficient because the nonce is publicly accessible and can be reused or discovered by attackers. By submitting a valid email address along with the nonce, an attacker can retrieve sensitive customer details such as full names, physical addresses, phone numbers, and email addresses. This data exposure violates confidentiality principles and can lead to privacy breaches, identity theft, or targeted phishing attacks. The vulnerability affects all versions up to and including 2.2.7 of the plugin. The CVSS v3.1 base score is 5.3, reflecting medium severity, with an attack vector of network (remote), low attack complexity, no privileges required, no user interaction, and impact limited to confidentiality. No integrity or availability impacts are noted. No patches or fixes are currently linked, and no known exploits have been observed in the wild as of the publication date. The vulnerability highlights the risk of relying solely on nonces for access control in WordPress plugins, emphasizing the need for robust capability checks and authentication mechanisms.

The primary impact of CVE-2025-14075 is the unauthorized disclosure of sensitive customer information, including personally identifiable information (PII) such as names, addresses, phone numbers, and emails. This exposure can lead to privacy violations, regulatory non-compliance (e.g., GDPR, CCPA), and reputational damage for affected organizations. Attackers could use the stolen data for identity theft, social engineering, phishing campaigns, or targeted attacks against customers. While the vulnerability does not affect data integrity or system availability, the breach of confidentiality alone can have serious consequences, especially for hospitality businesses that handle large volumes of customer data. Organizations relying on the WP Hotel Booking plugin risk losing customer trust and may face legal liabilities. The ease of exploitation (no authentication or user interaction required) increases the likelihood of automated attacks or data scraping by malicious actors. Although no active exploits are reported, the vulnerability’s presence in a popular WordPress plugin makes it a potential target for opportunistic attackers.

1. Immediate mitigation involves disabling or restricting access to the 'hotel_booking_fetch_customer_info' AJAX action until a patch is available. 2. Implement server-side capability checks to ensure only authenticated users with appropriate permissions can invoke this action. 3. Do not rely solely on nonces for access control; combine them with proper user authentication and authorization mechanisms. 4. Monitor web server logs for unusual or repeated requests to the vulnerable AJAX endpoint, which may indicate exploitation attempts. 5. If possible, upgrade to a patched version of the WP Hotel Booking plugin once released by the vendor. 6. Apply web application firewall (WAF) rules to block or rate-limit suspicious requests targeting this AJAX action. 7. Conduct a thorough audit of customer data access logs to detect any unauthorized data retrieval. 8. Educate site administrators about the risks of exposing sensitive AJAX actions without proper controls. 9. Consider implementing additional data protection measures such as encryption of stored customer data and minimizing data exposure in API responses.