CVE-2025-69340
Missing Authorization in WeDesignTech Booking Addon
Publication date: 2026-03-05
Last updated on: 2026-04-27
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wedesigntech | ultimate_booking_addon | From 1.0.0 (inc) to 1.0.3 (inc) |
| wedesigntech | ultimate_booking_addon | to 1.0.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The primary immediate mitigation step is to update the WeDesignTech Ultimate Booking Addon Plugin to version 1.0.4 or later, where the vulnerability is patched.
Until the update can be applied, it is recommended to implement blocking rules to prevent attacks targeting this vulnerability.
Using security services like Patchstack can provide automatic updates and additional protection against exploitation attempts.
Can you explain this vulnerability to me?
CVE-2025-69340 is a high-priority Broken Access Control vulnerability in the WordPress WeDesignTech Ultimate Booking Addon Plugin versions up to and including 1.0.3.
The vulnerability arises from missing authorization, authentication, or nonce token checks in certain plugin functions, which allows unauthenticated users to perform actions that should be restricted to higher-privileged users.
This issue is classified under the OWASP Top 10 category A1: Broken Access Control and has a CVSS severity score of 7.5, indicating a significant risk and a high likelihood of exploitation.
The vulnerability was reported on December 2, 2025, and publicly disclosed on February 25, 2026. It is patched in version 1.0.4 of the plugin.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated users to perform actions reserved for higher-privileged users due to missing authorization checks.
As a result, attackers can escalate privileges and potentially manipulate booking data or other sensitive functions within the plugin.
This can lead to unauthorized access, data manipulation, and compromise of the integrity and security of the affected WordPress site.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves missing authorization and broken access control in the WeDesignTech Ultimate Booking Addon Plugin, allowing unauthenticated users to perform privileged actions.
Detection can focus on monitoring for unauthorized access attempts or suspicious activity targeting plugin functions that should require higher privileges.
While specific commands are not provided, general approaches include:
- Review web server logs for unusual POST or GET requests to endpoints related to the WeDesignTech Ultimate Booking Addon.
- Use tools like curl or wget to test access to plugin functions without authentication to verify if unauthorized actions are possible.
- Employ WordPress security plugins or monitoring tools that can detect broken access control or unauthorized privilege escalation attempts.