CVE-2025-68006
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-22

Last updated on: 2026-01-29

Assigner: Patchstack

Description
Insertion of Sensitive Information Into Sent Data vulnerability in Deetronix Booking Ultra Pro booking-ultra-pro allows Retrieve Embedded Sensitive Data.This issue affects Booking Ultra Pro: from n/a through <= 1.1.23.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-01-29
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-14
NVD
CVE-2025-68006
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack booking_ultra_pro to 1.1.23 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthorized access to sensitive information, which could lead to non-compliance with data protection regulations such as GDPR and HIPAA that require safeguarding sensitive data. Exposure of sensitive data may result in violations of these standards, potentially leading to legal and financial consequences. Implementing mitigations is strongly advised to reduce the risk of such compliance issues. [1]

Detection Guidance

There are no specific detection commands provided for this vulnerability. However, it is recommended to apply Patchstack's mitigation rule to block attacks exploiting this issue until an official patch is released. Monitoring for unauthorized access attempts by users with subscriber or developer privileges may help detect exploitation attempts. For detailed mitigation and detection, using Patchstack's automated vulnerability mitigation tools is advised. [1]

Executive Summary

CVE-2025-68006 is a medium priority Sensitive Data Exposure vulnerability in the WordPress Booking Ultra Pro Plugin (versions up to and including 1.1.23). It allows a malicious actor with subscriber or developer privileges to access sensitive information that should normally be restricted. This vulnerability falls under the OWASP Top 10 category A3: Sensitive Data Exposure and can lead to unauthorized retrieval of embedded sensitive data. [1]

Impact Analysis

This vulnerability can allow attackers with certain privileges to access sensitive information that should be protected. This unauthorized access can lead to further exploitation of the system, potentially compromising user data and the integrity of the website. Since no official patch is available yet, affected users are advised to apply mitigation rules to block attacks exploiting this issue. [1]

Mitigation Strategies

Since no official fix or patched version is currently available, you should immediately implement the mitigation rule released by Patchstack to block attacks exploiting this vulnerability. Patchstack provides automated vulnerability mitigation and continuous security intelligence to help safeguard WordPress sites against this threat. Users are strongly advised to apply these mitigation measures until an official patch is released and tested. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68006. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart