CVE-2025-12042 is a vulnerability identified in the Course Booking System plugin for WordPress, developed by werbeagenturcommotion. The issue stems from a missing authorization check (CWE-862) in the csv-export.php script, which handles exporting booking data in CSV format. This missing capability check means that any unauthenticated attacker can directly request this file and retrieve an export of all booking data stored by the plugin. The vulnerability affects all versions up to and including 6.1.5. The CVSS 3.1 base score is 5.3, reflecting a medium severity due to the ease of exploitation (no authentication or user interaction required) but limited impact scope (confidentiality only, no integrity or availability impact). The vulnerability allows attackers to access potentially sensitive booking information such as customer names, contact details, and booking specifics without any privilege. Although no public exploits have been reported yet, the straightforward nature of the flaw makes it a significant privacy concern for affected sites. The vulnerability is network exploitable and does not require any user interaction, increasing the risk of automated scanning and data harvesting. The lack of patches or official fixes at the time of reporting necessitates immediate protective measures by administrators. This vulnerability highlights the importance of implementing proper authorization checks on sensitive data export functionalities within web applications and plugins.

The primary impact of CVE-2025-12042 is the unauthorized disclosure of booking data managed by the Course Booking System plugin. This can lead to privacy violations, exposure of personally identifiable information (PII), and potential regulatory compliance issues such as GDPR breaches for organizations handling EU citizen data. While the vulnerability does not affect data integrity or availability, the confidentiality loss can damage customer trust and result in reputational harm. Organizations relying on this plugin for course registrations, event bookings, or client management are at risk of data leakage. Attackers could use the exposed data for phishing, social engineering, or identity theft. The ease of exploitation without authentication or user interaction increases the likelihood of automated attacks and mass data harvesting. Although no known exploits are currently in the wild, the vulnerability's presence in a widely used WordPress plugin means many small to medium enterprises globally could be affected, especially those in education, training, and event management sectors. The impact is thus moderate but significant enough to warrant urgent attention.

1. Immediately restrict access to the csv-export.php file by implementing web server-level access controls such as IP whitelisting or authentication requirements to prevent unauthenticated access. 2. Use .htaccess rules or equivalent to deny direct access to sensitive export scripts unless accessed by authorized users. 3. Monitor web server logs for unusual or repeated access attempts to csv-export.php and investigate suspicious activity promptly. 4. If possible, disable the CSV export functionality temporarily until a patch or update is released by the vendor. 5. Regularly update the Course Booking System plugin once a security patch addressing this vulnerability is made available by werbeagenturcommotion. 6. Conduct a thorough review of user permissions and capability checks in custom plugins or themes to ensure no other missing authorization issues exist. 7. Educate site administrators on the risks of exposing sensitive export endpoints without proper authorization. 8. Consider implementing Web Application Firewall (WAF) rules to block unauthorized requests targeting the vulnerable endpoint. 9. Perform regular security audits and vulnerability scans focusing on authorization enforcement in all web application components.