CVE-2025-14065 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Simple Bike Rental plugin for WordPress, developed by rodolforizzo76. The flaw exists because the plugin fails to perform proper capability checks on the AJAX action 'simpbire_carica_prenotazioni', which is responsible for loading booking data. This omission allows any authenticated user with at least Subscriber-level access to invoke this AJAX action and retrieve all booking records stored by the plugin. These records contain sensitive personally identifiable information (PII), including customer names, email addresses, and phone numbers. The vulnerability affects all versions up to and including 1.0.6. Exploitation does not require elevated privileges beyond a standard authenticated user, nor does it require user interaction beyond sending the AJAX request. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the network attack vector, low complexity, no privileges required, and no user interaction, but limited to confidentiality impact only. No integrity or availability impacts are reported. No patches have been linked yet, and no known exploits are publicly reported. The vulnerability poses a significant privacy risk, especially for organizations handling customer data through this plugin, potentially leading to data breaches and regulatory non-compliance.

The primary impact of CVE-2025-14065 is the unauthorized disclosure of sensitive customer PII stored within the Simple Bike Rental plugin. This can lead to privacy violations, identity theft risks, and reputational damage for affected organizations. Since the vulnerability allows any authenticated user, including those with minimal privileges, to access all booking data, insider threats or compromised low-privilege accounts can easily exploit it. Organizations may face legal and regulatory consequences under data protection laws such as GDPR, CCPA, or similar frameworks due to the exposure of personal data. Although the vulnerability does not affect system integrity or availability, the confidentiality breach alone can erode customer trust and result in financial penalties. The scope is limited to websites using this specific plugin, but given WordPress's widespread adoption, the potential number of affected sites is significant. Attackers could use the stolen data for phishing, social engineering, or further targeted attacks against customers or the organization.

To mitigate CVE-2025-14065, organizations should immediately verify if they use the Simple Bike Rental plugin version 1.0.6 or earlier. If so, they should restrict access to the plugin's booking data by implementing custom capability checks on the 'simpbire_carica_prenotazioni' AJAX action, ensuring only authorized roles (e.g., administrators or trusted staff) can invoke it. Until an official patch is released, consider disabling the plugin or the vulnerable AJAX endpoint if feasible. Monitoring user accounts for suspicious activity, especially those with Subscriber-level access, can help detect exploitation attempts. Additionally, organizations should review and minimize the number of users with authenticated access to the WordPress backend. Regular backups and logging of access to sensitive data can aid in incident response. Once the vendor releases a patch, apply it promptly. Finally, educate staff about the risks of unauthorized data access and enforce strong authentication controls to reduce the risk of account compromise.