CVE-2025-39541
BaseFortify
Publication date: 2025-09-09
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | wp_simple_booking_calendar | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-39541 is a Broken Access Control vulnerability in the WordPress WP Simple Booking Calendar plugin up to version 2.0.13. It allows users with only subscriber-level privileges to perform actions that normally require higher privileges because of missing authorization, authentication, or nonce token checks in certain functions. This means unauthorized users can exploit the plugin to bypass security controls and perform restricted actions. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized actions being performed on your WordPress site through the WP Simple Booking Calendar plugin. Since it allows users with low privileges to execute higher-privilege actions, it can compromise the integrity of your booking data or site functionality. The vulnerability has a medium severity with a CVSS score of 6.5, indicating a moderate risk and likelihood of exploitation. If exploited, it may require professional incident response and malware scanning to remediate. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying attempts by subscriber-level users to perform unauthorized actions that require higher privileges in the WP Simple Booking Calendar plugin up to version 2.0.13. Monitoring web server logs for suspicious access patterns or unauthorized function calls related to the plugin may help. Additionally, using server-side malware scanning and professional incident response services is recommended if compromise is suspected. Specific commands are not provided in the available resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the virtual patch (vPatch) provided by Patchstack to block attacks until the official fixed version is installed. Users are strongly advised to update the WP Simple Booking Calendar plugin to version 2.0.14 or later, where the vulnerability is resolved. Employing automatic vulnerability protection and conducting professional incident response and server-side malware scanning if compromise is suspected are also recommended. [1]