The Simple Bike Rental plugin for WordPress, developed by rodolforizzo76, suffers from a missing authorization vulnerability identified as CVE-2025-14065 (CWE-862). The flaw exists in the 'simpbire_carica_prenotazioni' AJAX action, which lacks proper capability checks, allowing any authenticated user with Subscriber-level access or above to invoke this action and retrieve all booking records stored by the plugin. These records contain sensitive personally identifiable information (PII), including customer names, email addresses, and phone numbers. The vulnerability affects all versions up to and including 1.0.6. The CVSS 3.1 base score is 5.3 (medium severity), reflecting that the attack vector is network-based, requires no privileges beyond basic authentication, and no user interaction is needed. The impact is limited to confidentiality loss; integrity and availability remain unaffected. No known exploits have been reported in the wild, and no official patches have been published at the time of this report. The vulnerability arises from a failure to enforce authorization controls on a critical AJAX endpoint, a common security oversight in WordPress plugin development. Attackers exploiting this flaw can harvest sensitive customer data, potentially leading to privacy breaches and regulatory violations, especially under GDPR in Europe. The plugin is likely used by small to medium businesses in the bike rental and tourism sectors, which often rely on WordPress for their websites. The lack of a patch necessitates immediate mitigation steps by administrators to prevent unauthorized data disclosure.

European organizations using the Simple Bike Rental plugin are at risk of unauthorized disclosure of customer PII, including names, emails, and phone numbers. This exposure can lead to privacy violations, reputational damage, and potential fines under the EU's General Data Protection Regulation (GDPR). The breach of confidentiality may also facilitate targeted phishing or social engineering attacks against customers. Since the vulnerability requires only Subscriber-level access, an attacker could be an insider or a compromised low-privilege account, increasing the risk of exploitation. Although the vulnerability does not affect data integrity or availability, the loss of sensitive data can disrupt customer trust and business operations. Tourism and bike rental businesses, which often handle large volumes of customer bookings, are particularly vulnerable. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability is publicly known. Organizations failing to address this vulnerability promptly may face compliance issues and increased exposure to data breaches.

1. Immediately audit and restrict user roles and permissions on WordPress sites using the Simple Bike Rental plugin, ensuring only trusted users have Subscriber-level or higher access. 2. Implement web application firewall (WAF) rules to monitor and block suspicious AJAX requests targeting the 'simpbire_carica_prenotazioni' action. 3. Temporarily disable or remove the Simple Bike Rental plugin until an official patch or update addressing the authorization flaw is released. 4. If disabling the plugin is not feasible, apply custom code patches or filters to enforce capability checks on the vulnerable AJAX endpoint, restricting access to authorized roles only (e.g., Administrator or Shop Manager). 5. Monitor server and application logs for unusual access patterns or repeated AJAX calls to the vulnerable action. 6. Educate site administrators and users about the risks of low-privilege account compromise and enforce strong authentication policies, including multi-factor authentication (MFA). 7. Prepare incident response plans for potential data breaches involving customer PII. 8. Stay informed about updates from the plugin developer and apply security patches promptly once available.