CVE-2025-12573 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the Bookingor WordPress plugin through version 1.0.12. The vulnerability stems from the plugin exposing authenticated AJAX actions without enforcing capability checks or nonce verification. This means that any authenticated user, regardless of their privilege level, can invoke these AJAX endpoints to delete Bookingor plugin data. The lack of authorization controls on these AJAX actions allows low-privileged users to perform destructive operations that should be restricted to administrators or trusted roles. The vulnerability does not require unauthenticated access, but since many WordPress sites allow user registrations or have multiple user roles, the attack surface includes a broad range of authenticated users. No CVSS score has been assigned yet, and no patches or known exploits are currently reported. The vulnerability could lead to data integrity loss, operational disruption, and potential denial of service for organizations relying on Bookingor for booking management. The root cause is the absence of proper capability checks and nonce validation in the plugin's AJAX handlers, which are critical security controls in WordPress development to prevent unauthorized actions and CSRF attacks. Given the widespread use of WordPress in Europe and the importance of booking management systems, this vulnerability poses a significant risk if left unaddressed.

For European organizations using the Bookingor plugin, this vulnerability could lead to unauthorized deletion of booking data, resulting in operational disruptions, loss of customer trust, and potential financial losses. The integrity of booking records is critical for businesses in hospitality, event management, and service industries. Attackers exploiting this flaw could cause denial of service by deleting essential data, impacting availability. Since the vulnerability requires only authenticated access without elevated privileges, it increases the risk from insider threats or compromised low-level accounts. The absence of nonce checks also raises the possibility of cross-site request forgery (CSRF) attacks, further broadening the attack vector. Organizations relying on Bookingor without strict user role management or monitoring could face significant data integrity and availability issues. Recovery from such attacks may require data restoration from backups, which could be time-consuming and costly. The reputational damage from service interruptions could also affect customer retention and regulatory compliance, especially under GDPR requirements for data protection and incident reporting.

To mitigate this vulnerability, organizations should immediately audit and restrict access to Bookingor plugin AJAX endpoints by implementing strict capability checks ensuring only authorized roles (e.g., administrators) can perform sensitive actions. Developers or site administrators should add nonce verification to all AJAX requests to prevent CSRF attacks. Until an official patch is released, consider disabling or restricting the Bookingor plugin's AJAX functionality if feasible. Regularly review user roles and permissions to limit the number of users with authenticated access, especially those with low privileges that could exploit this flaw. Monitor logs for unusual AJAX activity indicative of exploitation attempts. Employ web application firewalls (WAFs) with custom rules to detect and block unauthorized AJAX requests targeting Bookingor endpoints. Maintain frequent backups of booking data to enable quick recovery in case of data deletion. Stay updated with vendor advisories for patches and apply them promptly once available. Additionally, consider isolating Bookingor plugin usage to dedicated environments with minimal user access to reduce exposure.