The Free Booking Plugin for Hotels, Restaurants and Car Rentals – eaSYNC Booking, a WordPress plugin widely used to manage bookings, suffers from an authorization bypass vulnerability identified as CVE-2025-4691. This vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key) and manifests as an insecure direct object reference (IDOR). Specifically, the plugin fails to properly validate the 'view_request_details' parameter, which is user-controlled. This lack of validation allows unauthenticated attackers to manipulate the key parameter to access booking request details that should be restricted. The vulnerability affects all plugin versions up to 1.3.21, with partial fixes introduced in versions 1.3.18 and 1.3.21, indicating incomplete remediation. The CVSS 3.1 base score of 5.3 reflects that the attack vector is network-based (remote), requires no privileges or user interaction, but impacts confidentiality only, with no effect on integrity or availability. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk of unauthorized data disclosure. The plugin’s role in handling sensitive booking information for hotels, restaurants, and car rentals means that exposed data could include personally identifiable information (PII), booking details, and potentially payment-related information. The vulnerability’s exploitation could lead to privacy violations, reputational damage, and regulatory compliance issues for affected organizations. The partial patching suggests that users should be cautious and verify that their plugin version fully addresses the issue or apply additional access control measures. Given the plugin’s integration with WordPress, a platform with a large global footprint, the vulnerability has broad potential impact.

The primary impact of CVE-2025-4691 is unauthorized disclosure of booking request details, which may contain sensitive customer information such as names, contact details, booking dates, and possibly payment information. This breach of confidentiality can lead to privacy violations and undermine customer trust. Organizations operating hospitality services using this plugin risk reputational damage and potential legal consequences under data protection regulations like GDPR or CCPA. While the vulnerability does not affect data integrity or availability, the exposure of sensitive data can facilitate targeted phishing, social engineering, or identity theft attacks. The ease of exploitation—requiring no authentication or user interaction—makes the threat accessible to a wide range of attackers, including opportunistic threat actors scanning for vulnerable WordPress sites. The partial patching status increases the risk that some installations remain vulnerable despite updates. Overall, the vulnerability could lead to significant operational and compliance challenges for affected organizations worldwide, especially those heavily reliant on the plugin for booking management.

1. Immediately verify the plugin version in use and upgrade to the latest version once a complete patch addressing CVE-2025-4691 is released by the vendor. 2. Until a full patch is available, implement strict access controls on the 'view_request_details' functionality, ensuring only authenticated and authorized users can access booking details. 3. Employ Web Application Firewalls (WAFs) to detect and block suspicious requests attempting to manipulate the 'view_request_details' parameter. 4. Conduct thorough code reviews and penetration testing focused on IDOR vulnerabilities in the plugin and other similar components. 5. Monitor server and application logs for unusual access patterns or repeated attempts to access booking details without authentication. 6. Educate site administrators on the risks of using outdated plugins and the importance of timely updates. 7. Consider temporarily disabling the affected feature if feasible until a secure patch is confirmed. 8. Implement least privilege principles for user roles within the WordPress environment to limit exposure. 9. Regularly back up booking data and ensure incident response plans include scenarios involving data disclosure. 10. Engage with the plugin vendor or community to track patch releases and vulnerability disclosures.