The Booking Calendar plugin by wpdevelop for WordPress is vulnerable to a sensitive information exposure vulnerability identified as CVE-2025-14146. This vulnerability stems from missing authorization checks in the WPBC_FLEXTIMELINE_NAV AJAX action. Specifically, the plugin’s nonce verification mechanism is conditionally disabled by default because the 'booking_is_nonce_at_front_end' option is set to 'Off' by default. Additionally, the 'booking_is_show_popover_in_timeline_front_end' option, which enables certain frontend timeline popovers, is enabled by default in demo installations and can be enabled by administrators. When these conditions are met, unauthenticated attackers can invoke the AJAX action to retrieve sensitive booking data including customer names, email addresses, phone numbers, and booking details without any authentication or user interaction. The vulnerability affects all versions up to and including 10.14.10. The CVSS 3.1 base score is 5.3 (medium severity), reflecting that the attack vector is network-based, requires no privileges or user interaction, and impacts confidentiality only. No integrity or availability impacts are noted. There are no known public exploits or patches available at the time of publication, but the vulnerability is publicly disclosed and assigned by Wordfence. This issue represents a classic case of CWE-862 (Missing Authorization), where insufficient access control allows unauthorized data access. Organizations using this plugin for booking management on WordPress sites are at risk of sensitive customer data leakage, which could lead to privacy violations and regulatory non-compliance.

For European organizations, the exposure of sensitive booking data can have significant privacy and compliance implications, especially under GDPR regulations which mandate strict protection of personal data. Leakage of customer names, emails, and phone numbers can lead to identity theft, phishing campaigns, and reputational damage. Organizations in sectors such as hospitality, healthcare, and professional services that rely on the Booking Calendar plugin for client appointments or reservations are particularly vulnerable. The breach of confidentiality could undermine customer trust and result in regulatory fines. Although the vulnerability does not affect data integrity or system availability, the unauthorized data disclosure alone is sufficient to cause material harm. The ease of exploitation (no authentication or user interaction required) increases the risk of automated scanning and data harvesting by malicious actors. The lack of known exploits in the wild currently limits immediate risk, but the public disclosure increases the likelihood of future exploitation attempts.

European organizations should immediately audit their WordPress installations to identify the use of the wpdevelop Booking Calendar plugin and verify the version in use. Administrators should ensure that the 'booking_is_nonce_at_front_end' option is enabled to enforce nonce verification on frontend AJAX actions, thereby restoring proper authorization checks. If the 'booking_is_show_popover_in_timeline_front_end' option is not essential, it should be disabled to reduce the attack surface. Until an official patch is released, consider restricting access to the vulnerable AJAX endpoint via web application firewalls or server-level access controls. Monitoring web server logs for suspicious requests to WPBC_FLEXTIMELINE_NAV can help detect exploitation attempts. Additionally, organizations should review and enhance their data protection policies to minimize the amount of sensitive data stored in booking systems. Regular backups and incident response plans should be updated to address potential data exposure incidents. Finally, stay informed about vendor updates and apply patches promptly once available.