CVE-2026-8684

Name of the Vulnerable Software and Affected Versions MotoPress Hotel Booking versions prior to 6.0.2

Description The MotoPress Hotel Booking plugin for WordPress contains an authorization bypass flaw resulting from improper verification of user permissions. Unauthenticated attackers can overwrite or delete internal notes by providing an arbitrary booking ID. This is possible because the required nonce is exposed in the HTML source of all public pages via wp localize script in the MPHB. data.nonces variable, allowing any visitor to perform the action without an account. The affected variable is mphb booking internal notes.

Recommendations Update to version 6.0.2 or later.