352 862 732
Advisory Published

CVE-2023-5651: WP Hotel Booking < 2.0.8 - Subscriber+ Arbitrary Post Deletion

First published: Mon Nov 20 2023(Updated: )

The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not ensure that the package to be deleted is a package, allowing any authenticated users, such as subscriber to delete arbitrary posts


Affected SoftwareAffected VersionHow to fix
Thimpress Wp Hotel Booking<2.0.8

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is the severity of CVE-2023-5651?

    The severity of CVE-2023-5651 is medium.

  • How does CVE-2023-5651 affect WP Hotel Booking plugin?

    CVE-2023-5651 allows any authenticated users, such as subscribers, to delete arbitrary posts in WP Hotel Booking plugin.

  • Is WP Hotel Booking plugin version 2.0.8 affected by CVE-2023-5651?

    Yes, WP Hotel Booking plugin version 2.0.8 is affected by CVE-2023-5651.

  • What can an attacker do with CVE-2023-5651?

    An attacker can delete arbitrary posts in WP Hotel Booking plugin using CVE-2023-5651.

  • How can I fix CVE-2023-5651?

    To fix CVE-2023-5651, update WP Hotel Booking plugin to a version higher than 2.0.8.


SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2023 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203