The Simple Bike Rental plugin for WordPress, developed by rodolforizzo76, suffers from a missing authorization vulnerability identified as CVE-2025-14065 (CWE-862). This vulnerability arises because the AJAX action 'simpbire_carica_prenotazioni' lacks a proper capability check, allowing any authenticated user with Subscriber-level access or above to invoke this action and retrieve all booking records stored by the plugin. These records contain sensitive personally identifiable information (PII) including customer names, email addresses, and phone numbers. The vulnerability affects all versions up to and including 1.0.6. The CVSS 3.1 base score is 5.3 (medium), reflecting that the attack vector is network-based, requires no privileges beyond authentication, and no user interaction is needed. The impact is limited to confidentiality loss, with no effect on integrity or availability. No patches or fixes have been published yet, and no known exploits are reported in the wild. The vulnerability is significant because it exposes sensitive customer data to unauthorized users who may have only minimal access to the WordPress site, potentially leading to privacy violations and regulatory non-compliance. The flaw is a classic example of missing authorization checks on backend AJAX handlers in WordPress plugins, a common security oversight.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of customer PII, which can lead to privacy breaches and violations of the EU General Data Protection Regulation (GDPR). Exposure of names, emails, and phone numbers can facilitate phishing, identity theft, and social engineering attacks targeting customers. Organizations operating bike rental services or managing booking data via WordPress sites using this plugin are particularly vulnerable. The breach of customer trust and potential regulatory fines could have financial and reputational consequences. Although the vulnerability does not affect system integrity or availability, the confidentiality impact alone is significant given the sensitivity of the data involved. The ease of exploitation by low-privilege authenticated users increases the threat level, especially in environments where subscriber accounts are easily created or compromised.

Immediate mitigation steps include restricting access to the 'simpbire_carica_prenotazioni' AJAX action by implementing proper capability checks to ensure only authorized roles (e.g., administrators or managers) can invoke it. Site administrators should audit user roles and permissions to minimize the number of users with Subscriber-level or higher access. Monitoring and logging AJAX requests to detect unusual access patterns to booking data is recommended. Until an official patch is released, consider disabling the Simple Bike Rental plugin if it is not critical or replacing it with a more secure alternative. Regularly update WordPress core and plugins to incorporate security fixes. Additionally, conduct a privacy impact assessment and notify affected customers if a data breach is suspected. Employ web application firewalls (WAFs) with custom rules to block unauthorized AJAX calls targeting this endpoint as a temporary protective measure.