CVE-2025-64261 identifies a Missing Authorization vulnerability in the codepeople Appointment Booking Calendar plugin, specifically in versions up to 1.3.95. This vulnerability stems from incorrectly configured access control security levels, which fail to properly restrict access to sensitive appointment booking functionalities. As a result, unauthenticated remote attackers can exploit this flaw to access or manipulate booking data without any authentication or user interaction. The vulnerability is remotely exploitable over the network (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), with a scope limited to the vulnerable component (S:U). The impact affects confidentiality and integrity but not availability, as indicated by the CVSS vector (C:L/I:L/A:N) and a base score of 6.5 (medium severity). Although no public exploits are currently known, the vulnerability poses a risk of unauthorized data disclosure and potential manipulation of appointment schedules, which could disrupt business operations or lead to privacy violations. The plugin is commonly used in WordPress environments for appointment scheduling, making it a target for attackers seeking to exploit web application vulnerabilities. The absence of vendor patches at the time of publication necessitates immediate mitigation through configuration review and access control hardening.

For European organizations, the impact of CVE-2025-64261 includes unauthorized access to sensitive appointment booking information, potentially exposing personal data of clients or employees. This can lead to privacy breaches under GDPR regulations, resulting in legal and financial consequences. Manipulation of booking data could disrupt business operations, causing reputational damage and loss of customer trust. Since the vulnerability allows unauthenticated remote exploitation, attackers can leverage it to gain footholds or pivot within networks, especially in organizations relying heavily on online appointment systems. Sectors such as healthcare, legal services, and public administration, which often use appointment booking plugins, are particularly at risk. The medium severity rating reflects moderate impact but ease of exploitation, emphasizing the need for timely remediation to prevent escalation or data leakage.

European organizations should immediately audit their use of the codepeople Appointment Booking Calendar plugin and verify the version in use. Until an official patch is released, implement strict access control measures at the web server or application firewall level to restrict access to booking management endpoints only to authorized users or IP ranges. Review and harden WordPress user roles and permissions to minimize exposure. Monitor web server logs for unusual or unauthorized access attempts targeting the plugin's functionalities. Consider temporarily disabling or replacing the plugin with a more secure alternative if critical business processes depend on it. Stay informed about vendor updates and apply patches promptly once available. Additionally, conduct regular security assessments and penetration tests focusing on web application authorization controls to detect similar misconfigurations.