The Booking Calendar plugin for WordPress, widely used for managing appointments and bookings, contains a sensitive information exposure vulnerability identified as CVE-2025-14146. The root cause is a missing authorization check (CWE-862) in the AJAX action 'WPBC_FLEXTIMELINE_NAV'. Specifically, nonce verification, which is a security measure to prevent unauthorized requests, is conditionally disabled by default because the 'booking_is_nonce_at_front_end' option defaults to 'Off'. When the 'booking_is_show_popover_in_timeline_front_end' option is enabled—commonly true in demo installations and optionally enabled by administrators—unauthenticated attackers can invoke this AJAX action to retrieve sensitive booking data. This data includes personally identifiable information (PII) such as customer names, email addresses, phone numbers, and detailed booking information. The vulnerability affects all versions up to and including 10.14.10. The attack vector requires no privileges or user interaction, making it remotely exploitable over the network. While no public exploits have been reported yet, the exposure of sensitive customer data poses significant privacy risks. The CVSS 3.1 score of 5.3 reflects a medium severity, emphasizing the confidentiality impact without affecting system integrity or availability.

For European organizations, this vulnerability poses a significant risk to customer privacy and data protection compliance, particularly under GDPR regulations. Exposure of personal data such as names, emails, and phone numbers can lead to privacy violations, reputational damage, and potential regulatory fines. Organizations using the Booking Calendar plugin on their WordPress sites may inadvertently expose sensitive booking information to unauthenticated attackers. This can undermine customer trust and lead to secondary attacks such as phishing or social engineering. Since the vulnerability does not affect system integrity or availability, operational disruption is unlikely; however, the confidentiality breach alone is critical in the context of European data protection laws. The ease of exploitation and lack of authentication requirements increase the urgency for mitigation. Organizations in sectors with high customer interaction via booking systems—such as hospitality, healthcare, and professional services—are particularly vulnerable.

Administrators should immediately verify the configuration of the Booking Calendar plugin, specifically the 'booking_is_nonce_at_front_end' and 'booking_is_show_popover_in_timeline_front_end' options. Setting 'booking_is_nonce_at_front_end' to 'On' will enforce nonce verification and prevent unauthorized AJAX requests. If possible, disable the 'booking_is_show_popover_in_timeline_front_end' option unless absolutely necessary. Update the plugin to the latest version once a patch is released by wpdevelop. In the interim, restrict access to the AJAX endpoint via web application firewall (WAF) rules or IP whitelisting to limit exposure. Conduct audits of booking data access logs to detect any suspicious activity. Additionally, review and enhance overall WordPress security posture, including limiting plugin usage to trusted sources and regularly monitoring for plugin updates. Inform customers and stakeholders about the potential data exposure and prepare incident response plans in case of exploitation.