CVE-2025-68006
BaseFortify
Publication date: 2026-01-22
Last updated on: 2026-01-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patchstack | booking_ultra_pro | to 1.1.23 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-201 | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68006 is a medium priority Sensitive Data Exposure vulnerability in the WordPress Booking Ultra Pro Plugin (versions up to and including 1.1.23). It allows a malicious actor with subscriber or developer privileges to access sensitive information that should normally be restricted. This vulnerability falls under the OWASP Top 10 category A3: Sensitive Data Exposure and can lead to unauthorized retrieval of embedded sensitive data. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers with certain privileges to access sensitive information that should be protected. This unauthorized access can lead to further exploitation of the system, potentially compromising user data and the integrity of the website. Since no official patch is available yet, affected users are advised to apply mitigation rules to block attacks exploiting this issue. [1]
What immediate steps should I take to mitigate this vulnerability?
Since no official fix or patched version is currently available, you should immediately implement the mitigation rule released by Patchstack to block attacks exploiting this vulnerability. Patchstack provides automated vulnerability mitigation and continuous security intelligence to help safeguard WordPress sites against this threat. Users are strongly advised to apply these mitigation measures until an official patch is released and tested. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized access to sensitive information, which could lead to non-compliance with data protection regulations such as GDPR and HIPAA that require safeguarding sensitive data. Exposure of sensitive data may result in violations of these standards, potentially leading to legal and financial consequences. Implementing mitigations is strongly advised to reduce the risk of such compliance issues. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no specific detection commands provided for this vulnerability. However, it is recommended to apply Patchstack's mitigation rule to block attacks exploiting this issue until an official patch is released. Monitoring for unauthorized access attempts by users with subscriber or developer privileges may help detect exploitation attempts. For detailed mitigation and detection, using Patchstack's automated vulnerability mitigation tools is advised. [1]