CVE-2025-8942: 
WordPress vulnerability analysis and mitigation

The WP Hotel Booking plugin versions prior to 2.2.3 contains a rating manipulation vulnerability (CVE-2025-8942) that allows subscribers and higher-level users to manipulate review ratings due to improper server-side validation. The vulnerability was publicly disclosed on August 28, 2025 (WPScan).

The vulnerability stems from insufficient server-side validation of review ratings, which enables attackers to manipulate rating values by intercepting and modifying requests. The issue is classified as an Access Control vulnerability (CWE-284) with a CVSS score of 4.3 (medium), indicating moderate severity. The vulnerability falls under the OWASP Top 10 category A5: Broken Access Control (WPScan).

When exploited, this vulnerability allows attackers to submit review ratings with values outside the intended 1-5 range, including negative numbers. This can potentially disrupt the plugin's rating system and affect the overall credibility of room reviews on the website (WPScan).

The vulnerability has been patched in version 2.2.3 of the WP Hotel Booking plugin. Site administrators are advised to update to this version or later to protect against rating manipulation attacks (WPScan).