CVE-2025-69340
Received Received - Intake
Missing Authorization in WeDesignTech Booking Addon

Publication date: 2026-03-05

Last updated on: 2026-04-27

Assigner: Patchstack

Description
Missing Authorization vulnerability in BuddhaThemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WeDesignTech Ultimate Booking Addon: from n/a through <= 1.0.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-69340
EUVD
EUVD-2025-208307
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wedesigntech ultimate_booking_addon From 1.0.0 (inc) to 1.0.3 (inc)
wedesigntech ultimate_booking_addon to 1.0.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The primary immediate mitigation step is to update the WeDesignTech Ultimate Booking Addon Plugin to version 1.0.4 or later, where the vulnerability is patched.

Until the update can be applied, it is recommended to implement blocking rules to prevent attacks targeting this vulnerability.

Using security services like Patchstack can provide automatic updates and additional protection against exploitation attempts.

Executive Summary

CVE-2025-69340 is a high-priority Broken Access Control vulnerability in the WordPress WeDesignTech Ultimate Booking Addon Plugin versions up to and including 1.0.3.

The vulnerability arises from missing authorization, authentication, or nonce token checks in certain plugin functions, which allows unauthenticated users to perform actions that should be restricted to higher-privileged users.

This issue is classified under the OWASP Top 10 category A1: Broken Access Control and has a CVSS severity score of 7.5, indicating a significant risk and a high likelihood of exploitation.

The vulnerability was reported on December 2, 2025, and publicly disclosed on February 25, 2026. It is patched in version 1.0.4 of the plugin.

Impact Analysis

This vulnerability allows unauthenticated users to perform actions reserved for higher-privileged users due to missing authorization checks.

As a result, attackers can escalate privileges and potentially manipulate booking data or other sensitive functions within the plugin.

This can lead to unauthorized access, data manipulation, and compromise of the integrity and security of the affected WordPress site.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves missing authorization and broken access control in the WeDesignTech Ultimate Booking Addon Plugin, allowing unauthenticated users to perform privileged actions.

Detection can focus on monitoring for unauthorized access attempts or suspicious activity targeting plugin functions that should require higher privileges.

While specific commands are not provided, general approaches include:

  • Review web server logs for unusual POST or GET requests to endpoints related to the WeDesignTech Ultimate Booking Addon.
  • Use tools like curl or wget to test access to plugin functions without authentication to verify if unauthorized actions are possible.
  • Employ WordPress security plugins or monitoring tools that can detect broken access control or unauthorized privilege escalation attempts.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69340. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart