CVE-2025-14982 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Booking Calendar plugin for WordPress, developed by wpdevelop. This flaw exists in all versions up to and including 10.14.11 and allows authenticated users with minimal privileges (Subscriber-level or higher) to bypass authorization controls and access booking records belonging to other users. The exposed data includes sensitive personally identifiable information (PII) such as names, email addresses, phone numbers, physical addresses, payment statuses, booking costs, and booking hashes. The vulnerability arises because the plugin fails to properly verify whether the requesting user has the right to view the requested booking data, leading to sensitive information exposure. The attack vector is network-based, requiring only authentication but no user interaction, and can be exploited remotely. The CVSS v3.1 base score is 4.3, indicating a medium severity primarily due to confidentiality impact without affecting integrity or availability. No public exploits have been reported yet, but the vulnerability poses significant privacy risks, especially for organizations that rely on the Booking Calendar plugin to manage customer bookings and payments. The lack of a patch at the time of reporting means organizations must implement interim controls to prevent unauthorized data access.

For European organizations, this vulnerability can lead to unauthorized disclosure of sensitive customer data, including PII and payment information, which can result in privacy violations and non-compliance with GDPR and other data protection regulations. Exposure of booking details could damage customer trust and lead to reputational harm. Although the vulnerability does not allow data modification or service disruption, the confidentiality breach alone is significant. Organizations in sectors such as hospitality, tourism, event management, and healthcare that use the Booking Calendar plugin are particularly at risk. The breach of personal data could also lead to legal penalties and increased scrutiny from data protection authorities. Additionally, attackers with Subscriber-level access could use the exposed information for targeted phishing or social engineering attacks, increasing the overall threat landscape.

Until an official patch is released, European organizations should implement strict access controls on WordPress user roles to limit Subscriber-level accounts and monitor their activities closely. Consider temporarily disabling the Booking Calendar plugin if feasible or restricting access to booking data via web application firewalls (WAF) or custom code that enforces authorization checks. Regularly audit user accounts and remove inactive or unnecessary Subscriber-level users. Employ logging and alerting mechanisms to detect unusual access patterns to booking data. Once a patch becomes available, prioritize immediate updating of the plugin. Additionally, review and enhance overall WordPress security posture by enforcing strong authentication, limiting plugin installations to trusted sources, and conducting regular vulnerability assessments. Organizations should also prepare incident response plans to handle potential data exposure incidents.