CVE-2025-10124 is an authorization vulnerability classified under CWE-863 found in the Booking Manager WordPress plugin versions prior to 2.1.15. The plugin registers a shortcode that, when embedded in a page, deletes bookings. This shortcode is improperly exposed to users with contributor or higher privileges, allowing them to trigger booking deletions by simply visiting the page containing the shortcode. The vulnerability arises from insufficient authorization checks on the shortcode execution, enabling privilege escalation within the bounds of authenticated contributor-level users. The CVSS 3.1 base score is 4.5 (medium), reflecting that the attack vector is network-based (via web access), requires low attack complexity, but demands privileges (PR:H) and user interaction (UI:R). The impact is high on integrity as bookings can be deleted without proper authorization, but confidentiality and availability remain unaffected. No public exploits have been reported yet, but the vulnerability poses a risk to organizations relying on Booking Manager for managing reservations. The plugin is commonly used in WordPress environments, which are widely deployed across Europe, especially in sectors like hospitality, tourism, and services. The vulnerability can be exploited by authenticated users with contributor roles, which are often granted to content creators or editors, thus increasing the risk if role assignments are not tightly controlled. The lack of a patch link suggests that users should upgrade to version 2.1.15 or later where the issue is fixed. Organizations should audit user roles and shortcode usage to mitigate risk.

The primary impact of CVE-2025-10124 is on the integrity of booking data within affected WordPress sites using the Booking Manager plugin. Unauthorized deletion of bookings can disrupt business operations, cause loss of revenue, and damage customer trust. For European organizations in the hospitality, tourism, and service industries, this could lead to operational downtime and reputational harm. Since contributor-level users can exploit this vulnerability, insider threats or compromised contributor accounts pose a significant risk. The vulnerability does not affect confidentiality or availability directly but undermines data reliability and operational continuity. The medium CVSS score reflects moderate risk; however, the impact could be amplified in organizations with lax user privilege management or heavy reliance on the plugin for critical booking functions. No known exploits in the wild reduce immediate risk but do not eliminate the threat. European entities with high WordPress usage and extensive booking operations are particularly vulnerable to this integrity compromise.

1. Immediately update the Booking Manager plugin to version 2.1.15 or later where the vulnerability is patched. 2. Review and restrict user roles, especially contributor privileges, to only trusted personnel. 3. Audit WordPress pages and posts for the presence of the vulnerable shortcode and remove or restrict access to pages containing it. 4. Implement strict access controls and monitoring on WordPress admin accounts to detect unauthorized shortcode usage. 5. Employ Web Application Firewalls (WAF) with custom rules to detect and block suspicious shortcode execution patterns. 6. Educate content creators and contributors about the risks of shortcode misuse and enforce least privilege principles. 7. Regularly back up booking data to enable recovery in case of unauthorized deletions. 8. Monitor logs for unusual booking deletions or page visits by contributor-level users. 9. Consider disabling shortcode execution for contributors if not necessary for their role. 10. Engage in vulnerability scanning and penetration testing focused on WordPress plugins to proactively identify similar issues.