CVE-2025-67953
BaseFortify
Publication date: 2026-01-22
Last updated on: 2026-01-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| booking_activities | booking_activities | to 1.16.44 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-67953 is a critical privilege escalation vulnerability in the WordPress Booking Activities Plugin versions up to and including 1.16.44. It allows a malicious actor with low privileges or no authentication to escalate their privileges, potentially gaining full control over the affected website. This vulnerability falls under the OWASP Top 10 category A7: Identification and Authentication Failures and has a CVSS severity score of 8.1. The issue is fixed in version 1.16.45 of the plugin. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with little or no access to escalate their privileges and gain full control over the affected website. This means the attacker could manipulate, steal, or delete data, install malicious code, or disrupt website operations, leading to severe security breaches and potential loss of trust or revenue. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The provided resources do not include specific commands or methods to detect this vulnerability on your network or system. Detection can involve checking the installed version of the Booking Activities WordPress plugin to see if it is version 1.16.44 or earlier, which is vulnerable. However, no explicit detection commands or network indicators are given.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Booking Activities WordPress plugin to version 1.16.45 or later, which contains the fix for this vulnerability. Additionally, users of the Patchstack security platform can enable a rule that blocks attacks targeting this vulnerability and can enable auto-updates for vulnerable plugins to ensure rapid protection until the update is applied. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.