CVE-2025-14982
BaseFortify
Publication date: 2026-01-16
Last updated on: 2026-01-16
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpbooking | booking_calendar | to 10.14.11 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Booking Calendar plugin for WordPress is a Missing Authorization issue that allows authenticated users with Subscriber-level access or higher to view all booking records in the database. This includes sensitive personally identifiable information (PII) such as names, email addresses, phone numbers, physical addresses, payment status, booking costs, and booking hashes belonging to other users. Essentially, the plugin does not properly restrict access to booking data, enabling unauthorized users to access sensitive information they should not see.
How can this vulnerability impact me? :
This vulnerability can lead to sensitive information exposure, where attackers with low-level authenticated access (Subscriber role) can view personal and payment details of other users' bookings. This can result in privacy violations, potential identity theft, financial fraud, and loss of trust from customers. Unauthorized access to booking data could also lead to misuse of the information or targeted attacks against individuals whose data is exposed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability negatively impacts compliance with data protection regulations such as GDPR and HIPAA because it allows unauthorized access to personally identifiable information (PII). Exposure of such sensitive data without proper authorization violates principles of data confidentiality and access control mandated by these standards. Organizations using the vulnerable plugin may face legal and regulatory consequences due to failure to adequately protect user data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized access to booking records by authenticated users with Subscriber-level access or higher. Detection would involve monitoring for suspicious access patterns to booking data, especially AJAX requests related to booking listings. Since the plugin uses AJAX handlers like 'wp_ajax_WPBC_AJX_BOOKING_LISTING' to retrieve booking data, you can monitor HTTP requests to admin-ajax.php with the action parameter set to 'WPBC_AJX_BOOKING_LISTING'. Commands to detect such activity could include inspecting web server logs or using tools like curl to test access permissions. For example, you can use curl to simulate an authenticated request (with appropriate cookies or tokens) to the AJAX endpoint and check if booking data is returned without proper authorization. However, no explicit detection commands are provided in the resources. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Booking Calendar plugin to version 10.14.12 or later. This update changes the minimum user role required to access the Booking Calendar menus from 'subscriber' to 'editor' immediately after plugin activation, restricting access to more privileged users and preventing unauthorized viewing of booking records. Additionally, after updating, verify and adjust user role permissions under the Plugin Menu / Permissions in the WordPress Admin Panel to ensure only trusted roles have access. Applying this update effectively mitigates the vulnerability by enforcing stricter authorization controls. [3]