CVE-2020-36757: 
WordPress vulnerability analysis and mitigation

The WP Hotel Booking plugin for WordPress (versions up to and including 1.10.1) contains a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2020-36757. The vulnerability was discovered by Jerome Bruandet and publicly disclosed on September 16, 2020. The issue stems from missing or incorrect nonce validation in the admin_add_order_item() function (NVD).

The vulnerability is caused by improper nonce validation in the admin_add_order_item() function. The CVSS v3.1 base score is 4.3 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. This indicates that the vulnerability can be exploited remotely, requires low attack complexity, needs no privileges, but does require user interaction (Wordfence).

A successful exploitation of this vulnerability could allow unauthenticated attackers to add order items through forged requests if they can trick a site administrator into performing specific actions, such as clicking on a malicious link (NVD).

The vulnerability has been fixed in version 1.10.2 of the WP Hotel Booking plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).