CVE-2025-39541 is a Missing Authorization vulnerability (CWE-862) identified in the WordPress plugin 'WP Simple Booking Calendar' developed by Roland Murg. This vulnerability affects versions up to 2.0.13. The core issue arises from the plugin failing to properly enforce authorization checks on certain actions or endpoints, allowing authenticated users with limited privileges (PR:L - Privileges Required: Low) to perform operations they should not be authorized to execute. According to the CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), the vulnerability can be exploited remotely over the network with low attack complexity and does not require user interaction. The impact primarily affects confidentiality, allowing unauthorized disclosure of sensitive booking calendar data, but does not affect integrity or availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was reserved in April 2025 and published in September 2025, indicating recent discovery. The lack of authorization checks in a booking calendar plugin could allow attackers to access private booking information or calendar entries, potentially exposing sensitive scheduling data or customer information. Given that WordPress plugins are widely used, this vulnerability could be leveraged in targeted attacks against websites relying on this plugin for booking management.

For European organizations, especially those in sectors like hospitality, healthcare, education, or any service relying on online booking systems, this vulnerability poses a risk of unauthorized data exposure. Confidential booking details, customer information, or internal scheduling data could be accessed by low-privilege users or attackers who have gained limited access, leading to privacy violations and potential regulatory non-compliance under GDPR. Although the vulnerability does not affect data integrity or availability, the confidentiality breach alone can damage organizational reputation and customer trust. Additionally, attackers could use the exposed information for further social engineering or targeted attacks. Organizations using WP Simple Booking Calendar should consider the sensitivity of the data managed by the plugin and the potential impact of unauthorized disclosure. The medium severity rating reflects the significant confidentiality impact balanced by the requirement for some level of authenticated access.

1. Immediate mitigation involves restricting access to the WP Simple Booking Calendar plugin's administrative and data endpoints to only fully trusted users. Implement strict role-based access controls (RBAC) within WordPress to limit plugin access to administrators or trusted roles. 2. Monitor user activities and audit logs for unusual access patterns related to booking calendar data. 3. Since no official patch is linked yet, organizations should follow the vendor's updates closely and apply patches as soon as they become available. 4. Consider deploying Web Application Firewalls (WAF) with custom rules to detect and block unauthorized attempts to access booking calendar endpoints. 5. If feasible, temporarily disable or replace the plugin with alternative booking solutions that have verified authorization controls until a patch is released. 6. Educate site administrators about the risk and ensure strong authentication mechanisms are in place to prevent unauthorized account access that could be leveraged to exploit this vulnerability.