CVE-2025-22720 identifies a missing authorization vulnerability in the magepeopleteam Booking and Rental Manager plugin for WooCommerce, specifically in versions up to and including 2.2.1. This vulnerability arises from incorrectly configured access control security levels, which allow unauthorized users to perform actions that should be restricted. The plugin manages booking and rental operations, which typically involve sensitive customer data and transaction details. Due to the missing authorization checks, an attacker could potentially access or manipulate booking information, disrupt rental schedules, or interfere with the booking process. The vulnerability does not require user interaction, meaning exploitation can be automated or performed remotely if the attacker can reach the affected interface. Although no known exploits have been reported in the wild, the risk remains significant given the plugin’s role in e-commerce and rental management. No CVSS score has been assigned yet, but the nature of the vulnerability suggests a high severity due to the direct impact on access control and potential data integrity compromise. The vulnerability was publicly disclosed in January 2025, with no patches currently linked, emphasizing the need for immediate attention from users of the plugin. Organizations relying on this plugin should monitor for updates and consider interim access restrictions to mitigate risk.

The missing authorization vulnerability can lead to unauthorized access to booking and rental data, compromising confidentiality and integrity. Attackers could manipulate bookings, alter rental schedules, or access sensitive customer information, potentially leading to financial losses, reputational damage, and operational disruption. For organizations, this could mean unauthorized transactions, data breaches involving personal identifiable information (PII), and loss of customer trust. The availability impact is moderate, as attackers might disrupt booking processes but not necessarily cause full service outages. The scope includes all organizations using the affected versions of the Booking and Rental Manager plugin, particularly those with significant online booking or rental operations. Given the plugin’s integration with WooCommerce, a widely used e-commerce platform, the potential attack surface is broad. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits following public disclosure.

1. Immediately restrict access to the Booking and Rental Manager plugin interface to trusted administrators only, using network-level controls or WooCommerce user role restrictions. 2. Monitor official magepeopleteam channels and Patchstack for security updates or patches addressing CVE-2025-22720 and apply them promptly upon release. 3. Conduct a thorough review of access control configurations within WooCommerce and the plugin to ensure proper authorization checks are enforced. 4. Implement logging and alerting on booking and rental management activities to detect unauthorized access attempts. 5. Consider temporarily disabling the plugin if it is not critical to operations until a patch is available. 6. Educate staff on the risks associated with unauthorized access and enforce strong authentication mechanisms for administrative accounts. 7. Use web application firewalls (WAFs) to block suspicious requests targeting the plugin endpoints. 8. Regularly audit user permissions and remove unnecessary privileges related to booking management.