The WP Hotel Booking WordPress plugin, with over 8,000 active installations, was found to be vulnerable to arbitrary file uploads due to missing file type validation. This critical vulnerability allows authenticated attackers, with subscriber-level access, to upload malicious files, potentially leading to remote code execution and complete website takeover. Wordfence detected and reported this vulnerability, earning the researcher a bounty of $488. The ThimPress team, the plugin developer, has released a patch for version 2.1.3, which users are urged to update to immediately.