CVE-2025-4691 is a medium-severity vulnerability affecting the Free Booking Plugin for Hotels, Restaurants and Car Rentals – eaSYNC Booking, a WordPress plugin developed by syntactics. The vulnerability is classified as CWE-639: Authorization Bypass Through User-Controlled Key, specifically an Insecure Direct Object Reference (IDOR). It exists in all versions up to and including 1.3.21 of the plugin. The flaw arises from insufficient validation of a user-controlled parameter, 'view_request_details', which allows unauthenticated attackers to access booking request details that should be restricted. This means an attacker can craft requests with manipulated keys to view sensitive booking information without any authentication or user interaction. The vulnerability was partially addressed in versions 1.3.18 and 1.3.21, but the description implies that the patch was incomplete, leaving some risk. The CVSS v3.1 base score is 5.3, reflecting a network attack vector, low attack complexity, no privileges required, no user interaction, and limited confidentiality impact (read-only access to booking details). There is no known exploitation in the wild as of the publication date (May 31, 2025). The vulnerability impacts confidentiality but does not affect integrity or availability. The plugin is used primarily by businesses in hospitality sectors to manage bookings via WordPress sites, making it a critical component for customer data privacy and business operations.

For European organizations, especially those in the hospitality industry such as hotels, restaurants, and car rental services, this vulnerability poses a significant risk to customer privacy and data protection compliance. Unauthorized access to booking details could expose personally identifiable information (PII) of customers, including names, contact details, booking dates, and potentially payment-related information if stored or linked. This exposure could lead to reputational damage, loss of customer trust, and potential regulatory penalties under GDPR for failing to protect personal data adequately. Additionally, attackers could use the information for targeted phishing or social engineering attacks. While the vulnerability does not allow modification or deletion of data, the confidentiality breach alone is critical for businesses handling sensitive customer information. Given the widespread use of WordPress and the plugin's niche in hospitality, many small to medium enterprises (SMEs) across Europe could be affected, particularly those that have not updated or patched their plugins properly.

1. Immediate upgrade to the latest patched version of the eaSYNC Booking plugin once a complete fix is released by syntactics. Monitor vendor communications for updates beyond version 1.3.21. 2. Until a full patch is available, implement web application firewall (WAF) rules to detect and block suspicious requests targeting the 'view_request_details' parameter, especially those originating from unauthenticated sources. 3. Restrict access to booking management pages by enforcing authentication and authorization checks at the web server or application level as a temporary control. 4. Conduct a thorough audit of all WordPress plugins and themes to ensure they are up to date and remove any unused or unsupported plugins. 5. Implement logging and monitoring to detect unusual access patterns to booking data, enabling rapid incident response. 6. Educate staff on the importance of timely patching and monitoring for vulnerabilities in third-party plugins. 7. Consider isolating the booking system or sensitive data storage behind additional access controls or network segmentation to reduce exposure.