CVE-2025-14075: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in thimpress WP Hotel Booking
CVE-2025-14075 is a medium-severity vulnerability in the WP Hotel Booking WordPress plugin (up to version 2. 2. 7) that allows unauthenticated attackers to access sensitive customer information. The flaw arises because the 'hotel_booking_fetch_customer_info' AJAX action is exposed without proper capability checks, relying solely on a nonce for protection. Attackers can exploit this by submitting a valid email address and a publicly accessible nonce to retrieve data such as full names, addresses, phone numbers, and emails. This vulnerability impacts confidentiality but does not affect integrity or availability. No authentication or user interaction is required, and the attack can be performed remotely over the network. European organizations using this plugin, especially those in countries with high WordPress adoption and tourism sectors, are at risk. Mitigation involves updating the plugin once a patch is available or implementing strict access controls and nonce validation. Countries like Germany, France, Italy, Spain, and the UK are most likely affected due to market penetration and strategic importance of hospitality services.
AI Analysis
Technical Summary
CVE-2025-14075 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the WP Hotel Booking plugin for WordPress, versions up to and including 2.2.7. The root cause is the improper exposure of the AJAX action 'hotel_booking_fetch_customer_info' to unauthenticated users. Instead of enforcing proper capability checks to verify user authorization, the plugin relies solely on a nonce token for protection. Since the nonce is publicly accessible, an attacker can supply a valid email address along with this nonce to the AJAX endpoint and retrieve sensitive customer details such as full names, physical addresses, phone numbers, and email addresses. This flaw compromises the confidentiality of customer data without impacting data integrity or system availability. The vulnerability can be exploited remotely over the network without any authentication or user interaction, making it relatively easy to exploit. Although no known exploits are currently in the wild, the exposure of personally identifiable information (PII) poses significant privacy risks and potential regulatory compliance issues, especially under GDPR. The vulnerability has a CVSS v3.1 base score of 5.3, reflecting its medium severity due to the ease of exploitation and the sensitivity of the data exposed. No official patches or updates are currently linked, so affected organizations must monitor vendor communications closely. The vulnerability is particularly relevant to organizations in the hospitality industry using this plugin to manage bookings and customer data on WordPress sites.
Potential Impact
For European organizations, the exposure of sensitive customer information can lead to multiple adverse effects. Firstly, it risks violating the EU's General Data Protection Regulation (GDPR), which mandates strict controls over personal data, potentially resulting in heavy fines and reputational damage. Hospitality businesses relying on WP Hotel Booking may suffer loss of customer trust if personal data such as names, addresses, phone numbers, and emails are leaked. This can also facilitate targeted phishing attacks, identity theft, and social engineering campaigns against affected customers. The breach of confidentiality could disrupt business operations indirectly by necessitating incident response, customer notifications, and legal consultations. Although the vulnerability does not affect system integrity or availability, the privacy impact alone is significant given the nature of the data exposed. European tourism-heavy economies and businesses with large customer bases are particularly vulnerable to these consequences.
Mitigation Recommendations
Organizations should immediately audit their WordPress installations to identify if the WP Hotel Booking plugin is in use and confirm the version. Until an official patch is released, administrators should consider disabling or restricting access to the 'hotel_booking_fetch_customer_info' AJAX action by implementing server-side access controls that enforce user authentication and capability checks beyond nonce validation. Web application firewalls (WAFs) can be configured to block suspicious AJAX requests targeting this endpoint, especially those originating from unauthenticated sources. Monitoring web server logs for unusual requests to this AJAX action can help detect exploitation attempts. Additionally, organizations should review and minimize the exposure of nonces in publicly accessible areas of the website to reduce attack surface. Once a vendor patch is available, prompt application of updates is critical. Finally, organizations should prepare incident response plans to address potential data breaches involving customer information and ensure compliance with GDPR notification requirements.
Affected Countries
Germany, France, Italy, Spain, United Kingdom, Netherlands, Belgium, Austria
CVE-2025-14075: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in thimpress WP Hotel Booking
Description
CVE-2025-14075 is a medium-severity vulnerability in the WP Hotel Booking WordPress plugin (up to version 2. 2. 7) that allows unauthenticated attackers to access sensitive customer information. The flaw arises because the 'hotel_booking_fetch_customer_info' AJAX action is exposed without proper capability checks, relying solely on a nonce for protection. Attackers can exploit this by submitting a valid email address and a publicly accessible nonce to retrieve data such as full names, addresses, phone numbers, and emails. This vulnerability impacts confidentiality but does not affect integrity or availability. No authentication or user interaction is required, and the attack can be performed remotely over the network. European organizations using this plugin, especially those in countries with high WordPress adoption and tourism sectors, are at risk. Mitigation involves updating the plugin once a patch is available or implementing strict access controls and nonce validation. Countries like Germany, France, Italy, Spain, and the UK are most likely affected due to market penetration and strategic importance of hospitality services.
AI-Powered Analysis
Technical Analysis
CVE-2025-14075 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the WP Hotel Booking plugin for WordPress, versions up to and including 2.2.7. The root cause is the improper exposure of the AJAX action 'hotel_booking_fetch_customer_info' to unauthenticated users. Instead of enforcing proper capability checks to verify user authorization, the plugin relies solely on a nonce token for protection. Since the nonce is publicly accessible, an attacker can supply a valid email address along with this nonce to the AJAX endpoint and retrieve sensitive customer details such as full names, physical addresses, phone numbers, and email addresses. This flaw compromises the confidentiality of customer data without impacting data integrity or system availability. The vulnerability can be exploited remotely over the network without any authentication or user interaction, making it relatively easy to exploit. Although no known exploits are currently in the wild, the exposure of personally identifiable information (PII) poses significant privacy risks and potential regulatory compliance issues, especially under GDPR. The vulnerability has a CVSS v3.1 base score of 5.3, reflecting its medium severity due to the ease of exploitation and the sensitivity of the data exposed. No official patches or updates are currently linked, so affected organizations must monitor vendor communications closely. The vulnerability is particularly relevant to organizations in the hospitality industry using this plugin to manage bookings and customer data on WordPress sites.
Potential Impact
For European organizations, the exposure of sensitive customer information can lead to multiple adverse effects. Firstly, it risks violating the EU's General Data Protection Regulation (GDPR), which mandates strict controls over personal data, potentially resulting in heavy fines and reputational damage. Hospitality businesses relying on WP Hotel Booking may suffer loss of customer trust if personal data such as names, addresses, phone numbers, and emails are leaked. This can also facilitate targeted phishing attacks, identity theft, and social engineering campaigns against affected customers. The breach of confidentiality could disrupt business operations indirectly by necessitating incident response, customer notifications, and legal consultations. Although the vulnerability does not affect system integrity or availability, the privacy impact alone is significant given the nature of the data exposed. European tourism-heavy economies and businesses with large customer bases are particularly vulnerable to these consequences.
Mitigation Recommendations
Organizations should immediately audit their WordPress installations to identify if the WP Hotel Booking plugin is in use and confirm the version. Until an official patch is released, administrators should consider disabling or restricting access to the 'hotel_booking_fetch_customer_info' AJAX action by implementing server-side access controls that enforce user authentication and capability checks beyond nonce validation. Web application firewalls (WAFs) can be configured to block suspicious AJAX requests targeting this endpoint, especially those originating from unauthenticated sources. Monitoring web server logs for unusual requests to this AJAX action can help detect exploitation attempts. Additionally, organizations should review and minimize the exposure of nonces in publicly accessible areas of the website to reduce attack surface. Once a vendor patch is available, prompt application of updates is critical. Finally, organizations should prepare incident response plans to address potential data breaches involving customer information and ensure compliance with GDPR notification requirements.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-04T22:18:59.068Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 696af5b4b22c7ad8685027aa
Added to database: 1/17/2026, 2:36:36 AM
Last enriched: 1/17/2026, 2:51:36 AM
Last updated: 1/17/2026, 4:00:34 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-0820: CWE-862 Missing Authorization in sweetdaisy86 RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress
MediumCVE-2026-0682: CWE-918 Server-Side Request Forgery (SSRF) in andy_moyle Church Admin
LowCVE-2025-14463: CWE-862 Missing Authorization in naa986 Payment Button for PayPal
MediumCVE-2025-13725: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in thimpress Thim Blocks
MediumCVE-2025-15403: CWE-269 Improper Privilege Management in metagauss RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
CriticalActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.