The vulnerability identified as CVE-2025-14146 affects the Booking Calendar plugin developed by wpdevelop for WordPress, specifically all versions up to and including 10.14.10. The root cause is a missing authorization check (CWE-862) in the AJAX action named WPBC_FLEXTIMELINE_NAV. This AJAX endpoint is intended to provide timeline navigation data for bookings but fails to enforce proper nonce verification when the 'booking_is_nonce_at_front_end' option is set to 'Off' (the default setting). Additionally, the 'booking_is_show_popover_in_timeline_front_end' option, which is enabled by default in demo installations and can be enabled by administrators, allows the front-end display of booking popovers. Due to these settings, unauthenticated attackers can invoke the AJAX action and retrieve sensitive booking information, including customer names, email addresses, phone numbers, and booking details without any authentication or user interaction. The vulnerability does not affect the integrity or availability of the system but compromises confidentiality by exposing sensitive personal data. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the ease of exploitation (network accessible, no privileges required, no user interaction) and limited impact scope (confidentiality only). No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability is significant for websites using the Booking Calendar plugin, particularly those handling sensitive customer booking data.

The primary impact of CVE-2025-14146 is the unauthorized disclosure of sensitive customer information, including names, email addresses, phone numbers, and booking details. This exposure can lead to privacy violations, regulatory non-compliance (e.g., GDPR, CCPA), reputational damage, and potential targeted phishing or social engineering attacks against affected customers. Organizations relying on the Booking Calendar plugin for managing reservations or appointments risk leaking personally identifiable information (PII) to unauthenticated attackers. While the vulnerability does not allow modification or deletion of data, the confidentiality breach alone can have serious consequences, especially for businesses in sectors like hospitality, healthcare, or professional services where booking data is sensitive. The ease of exploitation (no authentication or user interaction required) increases the risk of automated scanning and data harvesting by attackers. The lack of known exploits in the wild suggests limited current exploitation but also highlights the importance of proactive mitigation before attackers develop weaponized tools.

To mitigate CVE-2025-14146, organizations should take the following specific actions: 1) Immediately review and modify the 'booking_is_nonce_at_front_end' option to enable nonce verification, ensuring that AJAX requests require valid nonces to prevent unauthorized access. 2) Disable or carefully control the 'booking_is_show_popover_in_timeline_front_end' option, especially on production sites, to limit front-end exposure of booking data. 3) Monitor and restrict access to the WPBC_FLEXTIMELINE_NAV AJAX endpoint via web application firewalls (WAFs) or custom rules to block unauthenticated requests. 4) Update the Booking Calendar plugin to the latest version once a patch addressing this vulnerability is released by the vendor. 5) Conduct audits of booking data exposure and review logs for suspicious access patterns. 6) Inform affected customers if a data breach is suspected to comply with data protection regulations. 7) Consider alternative booking plugins with stronger security postures if timely patching is not feasible. These measures go beyond generic advice by focusing on configuration changes, access controls, and proactive monitoring tailored to this vulnerability's specifics.