CVE-2025-62916 MEDIUM

CVE-2025-62916: WordPress Flights & Hotels Booking WP Plugin plugin <= 3.1 - Broken Access Control vulnerability

Vendor Travon Wp
Product Flights & Hotels Booking WP Plugin
Weakness CWE-862 · Missing authorization
Published October 27, 2025
Last update April 28, 2026

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

Missing Authorization vulnerability in Travon WP Flights & Hotels Booking WP Plugin adiaha-hotel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flights & Hotels Booking WP Plugin: from n/a through <= 3.1.

Explanation of Vulnerability in Simple Terms

02Summary

The Flights & Hotels Booking WP Plugin through version 3.1 lacks proper authorization checks on certain functions. A logged-in user with low privileges can modify or delete data they should not have access to. The vulnerability requires an active WordPress account but no special permissions. Site administrators should update the plugin immediately.

What an attacker can do

03Attacker Capabilities

A logged-in user can modify or delete booking data and settings they should not have access to.

Potential impact on your site

04Site Impact

Unauthorized users can tamper with flight and hotel bookings, potentially disrupting reservations and customer data.

Conditions required to exploit

05Prerequisites

Attacker must have a valid WordPress user account with low privileges (e.g., subscriber or contributor role).

Key dates

06Disclosure timeline

October 27, 2025 CVE published
April 28, 2026 Record updated