CVE-2025-14982 is a Missing Authorization vulnerability (CWE-862) found in the Booking Calendar plugin developed by wpdevelop for WordPress. This flaw exists in all plugin versions up to and including 10.14.11. The vulnerability arises because the plugin fails to properly enforce authorization checks on requests to view booking records. As a result, any authenticated user with at least Subscriber-level privileges can access the booking database entries belonging to other users. The exposed data includes sensitive personally identifiable information (PII) such as full names, email addresses, phone numbers, physical addresses, payment status, booking costs, and booking hashes. The vulnerability is remotely exploitable over the network without requiring user interaction. The CVSS v3.1 base score is 4.3 (medium), reflecting low complexity of attack and limited impact confined to confidentiality. There is no impact on integrity or availability, and no known exploits have been observed in the wild. The issue was publicly disclosed on January 16, 2026, but no official patches or mitigation updates have been released by the vendor as of now. This vulnerability highlights a critical lapse in access control design within the plugin, exposing sensitive customer data to unauthorized internal users.

The primary impact of CVE-2025-14982 is the unauthorized disclosure of sensitive personal and booking information stored within the Booking Calendar plugin database. Organizations using this plugin risk exposure of customer PII, including contact details and payment information, which can lead to privacy violations, regulatory non-compliance (e.g., GDPR, CCPA), reputational damage, and potential legal liabilities. Although the vulnerability does not allow modification or deletion of data, the confidentiality breach alone can facilitate targeted phishing, social engineering, or identity theft attacks. Since exploitation requires only Subscriber-level access, attackers could leverage compromised or malicious low-privilege accounts to escalate data exposure. The vulnerability affects any WordPress site using the vulnerable plugin version, which could include small businesses, service providers, and enterprises relying on online booking systems. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as public disclosure may prompt attackers to develop exploits. The absence of a patch increases the window of exposure, making proactive mitigation critical.

1. Immediately audit user roles and permissions on WordPress sites using the Booking Calendar plugin to ensure that Subscriber-level accounts are tightly controlled and monitored. 2. Restrict or disable Subscriber-level accounts if possible, or limit their access to the booking system until a patch is available. 3. Consider temporarily disabling or uninstalling the Booking Calendar plugin if it is not essential or if sensitive booking data is stored. 4. Monitor web server and application logs for unusual access patterns or attempts to enumerate booking records by low-privilege users. 5. Implement additional access control layers such as Web Application Firewalls (WAFs) to detect and block unauthorized access attempts targeting booking endpoints. 6. Stay informed of vendor updates and apply patches immediately once released. 7. If feasible, isolate booking data in separate databases or systems with stricter access controls. 8. Educate users and administrators about the risks of sharing credentials and the importance of strong authentication. 9. Conduct regular security assessments and penetration tests focusing on authorization controls within WordPress plugins. 10. Review and enhance logging and alerting mechanisms to quickly detect potential exploitation attempts.