CVE-2025-4691: CWE-639 Authorization Bypass Through User-Controlled Key in syntactics eaSYNC Booking – Hotels, Restaurants & Car Rentals
The Free Booking Plugin for Hotels, Restaurants and Car Rentals – eaSYNC Booking plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.21 via the 'view_request_details' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the details of any booking request. The vulnerability was partially patched in versions 1.3.18 and 1.3.21.
AI Analysis
Technical Summary
CVE-2025-4691 is an authorization bypass vulnerability classified under CWE-639 in the eaSYNC Booking WordPress plugin. The flaw arises from insecure direct object references via the 'view_request_details' parameter, which lacks proper validation of a user-controlled key. This allows unauthenticated attackers to access booking request details they should not be able to see. Partial patches were introduced in versions 1.3.18 and 1.3.21, but the vulnerability remains in all affected versions up to 1.3.21. No full patch or official fix is confirmed from the provided data.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to view sensitive booking request details without authorization. This compromises confidentiality of booking information but does not affect integrity or availability. There are no known exploits in the wild reported at this time.
Mitigation Recommendations
Partial patches exist in versions 1.3.18 and 1.3.21; however, no complete fix is confirmed. Users should upgrade to the latest plugin version if available and monitor vendor advisories for a full patch. Until a full fix is released, restrict access to the plugin's booking request details page and consider additional access controls to mitigate unauthorized viewing.
CVE-2025-4691: CWE-639 Authorization Bypass Through User-Controlled Key in syntactics eaSYNC Booking – Hotels, Restaurants & Car Rentals
Description
The Free Booking Plugin for Hotels, Restaurants and Car Rentals – eaSYNC Booking plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.21 via the 'view_request_details' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the details of any booking request. The vulnerability was partially patched in versions 1.3.18 and 1.3.21.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-4691 is an authorization bypass vulnerability classified under CWE-639 in the eaSYNC Booking WordPress plugin. The flaw arises from insecure direct object references via the 'view_request_details' parameter, which lacks proper validation of a user-controlled key. This allows unauthenticated attackers to access booking request details they should not be able to see. Partial patches were introduced in versions 1.3.18 and 1.3.21, but the vulnerability remains in all affected versions up to 1.3.21. No full patch or official fix is confirmed from the provided data.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to view sensitive booking request details without authorization. This compromises confidentiality of booking information but does not affect integrity or availability. There are no known exploits in the wild reported at this time.
Mitigation Recommendations
Partial patches exist in versions 1.3.18 and 1.3.21; however, no complete fix is confirmed. Users should upgrade to the latest plugin version if available and monitor vendor advisories for a full patch. Until a full fix is released, restrict access to the plugin's booking request details page and consider additional access controls to mitigate unauthorized viewing.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-05-14T15:45:37.633Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 683af5e1182aa0cae2e055b6
Added to database: 5/31/2025, 12:28:17 PM
Last enriched: 4/9/2026, 5:29:52 PM
Last updated: 5/8/2026, 1:36:44 PM
Views: 77
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.