The vulnerability identified as CVE-2025-14352 affects all versions of the Awesome Hotel Booking plugin for WordPress up to and including version 1.0. The core issue is an incorrect authorization mechanism (CWE-863) in the room-single.php shortcode handler. Specifically, the plugin relies exclusively on nonce verification to authorize modifications to booking records. Nonces in WordPress are intended to prevent CSRF attacks but do not verify user permissions or roles. Because the nonce is accessible via the public booking form, unauthenticated attackers can retrieve a valid nonce and submit requests that modify arbitrary booking records without any capability checks. This bypasses intended access controls and allows unauthorized data manipulation. The vulnerability does not impact confidentiality or availability directly but compromises data integrity by enabling unauthorized changes to booking information. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) indicates network attack vector, low attack complexity, no privileges or user interaction required, unchanged scope, no confidentiality or availability impact, and limited integrity impact. No patches or exploits are currently documented, but the vulnerability is publicly disclosed and should be addressed promptly.

This vulnerability primarily impacts the integrity of booking data within affected WordPress sites using the Awesome Hotel Booking plugin. Unauthorized modification of booking records can lead to fraudulent bookings, double bookings, or cancellation of legitimate reservations, undermining trust and operational reliability for hotels and booking platforms. While confidentiality and availability are not directly affected, the integrity compromise can cause financial losses, reputational damage, and customer dissatisfaction. Attackers could manipulate booking details to disrupt business operations or create confusion. Since the exploit requires no authentication or user interaction, the attack surface is broad, potentially affecting any publicly accessible site running the vulnerable plugin. Organizations relying on this plugin for reservation management are at risk of data tampering and should consider the impact on their business continuity and customer trust.

To mitigate this vulnerability, site administrators should implement strict capability checks in addition to nonce verification within the room-single.php shortcode handler to ensure only authorized users can modify booking records. Specifically, the plugin code should verify user roles or permissions (e.g., checking if the user has 'manage_options' or a custom capability related to booking management) before processing any data modification requests. Until an official patch is released, administrators can apply custom code patches or use WordPress hooks to enforce authorization. Additionally, monitoring booking records for unusual or unauthorized changes can help detect exploitation attempts. Restricting access to booking management pages and employing web application firewalls (WAFs) with custom rules to block suspicious requests containing nonce misuse may reduce risk. Regularly updating the plugin once a vendor patch is available is critical. Finally, educating site administrators about the risks of relying solely on nonce verification for authorization can prevent similar issues.