CVE-2025-12042 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Course Booking System plugin for WordPress, developed by werbeagenturcommotion. The issue exists due to the absence of a capability check in the csv-export.php script, which handles exporting booking data. This missing authorization allows unauthenticated attackers to directly access this export endpoint and retrieve potentially sensitive booking information without any authentication or user interaction. The vulnerability affects all plugin versions up to and including 6.1.5. The CVSS v3.1 base score is 5.3, reflecting a medium severity level with an attack vector of network (remote), low attack complexity, no privileges required, and no user interaction needed. The impact is limited to confidentiality loss, with no integrity or availability effects. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability is significant because it exposes potentially sensitive booking data such as customer names, contact details, and booking specifics, which could be leveraged for further attacks or identity theft. The plugin is used in WordPress environments, which are widely deployed across Europe, especially in small to medium enterprises and educational institutions. The lack of authorization checks in a data export function is a critical design oversight that can lead to data breaches if left unmitigated.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of personal and booking data, which can lead to privacy violations and non-compliance with GDPR regulations. Exposure of customer data can result in reputational damage, legal penalties, and loss of customer trust. Organizations in sectors such as education, training, event management, and small businesses using WordPress with this plugin are particularly vulnerable. The breach of confidentiality could also facilitate targeted phishing or social engineering attacks. Although the vulnerability does not affect system integrity or availability, the data exposure alone is significant given the sensitivity of booking information. The ease of exploitation (no authentication or user interaction required) increases the likelihood of opportunistic attacks. The absence of known exploits in the wild currently limits immediate risk, but the vulnerability remains exploitable and should be addressed promptly to prevent future incidents.

Since no official patches are currently available, European organizations should implement immediate compensating controls. These include restricting access to the csv-export.php file using web server configurations such as IP whitelisting or authentication requirements at the server level. Disabling or removing the export functionality temporarily can reduce exposure. Monitoring web server logs for unauthorized access attempts to this endpoint is critical for early detection. Organizations should also audit their WordPress installations to identify the presence of the vulnerable plugin and upgrade to a patched version once released. Applying the principle of least privilege by limiting plugin permissions and isolating WordPress environments can reduce risk. Additionally, organizations should review and update their data protection policies to ensure compliance with GDPR, including breach notification procedures. Regular security assessments and penetration testing focusing on WordPress plugins can help identify similar vulnerabilities proactively.