CVE-2025-67574 identifies a missing authorization vulnerability in the wpdevart Booking calendar and Appointment Booking System WordPress plugin, affecting versions up to 3.2.30. The flaw stems from incorrectly configured access control security levels, which fail to properly verify whether a user has the necessary permissions before granting access to certain booking calendar functionalities or data. This lack of authorization checks allows unauthenticated remote attackers to exploit the system without requiring any privileges or user interaction. The vulnerability impacts confidentiality by potentially exposing sensitive booking or appointment data but does not affect data integrity or system availability. The CVSS 3.1 base score of 5.3 reflects these characteristics: network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), limited confidentiality impact (C:L), and no integrity or availability impact (I:N, A:N). No public exploits have been reported yet, but the vulnerability poses a risk to websites relying on this plugin for appointment management, especially those handling personal or sensitive customer information. The issue was published on December 9, 2025, by Patchstack, but no official patches or updates are currently linked, indicating that users must monitor vendor communications closely. The vulnerability is particularly relevant for WordPress sites in sectors such as healthcare, legal, education, and service industries where appointment booking is common. Attackers exploiting this flaw could retrieve booking details or manipulate booking-related data visibility, potentially leading to privacy violations or information disclosure. The vulnerability's presence in a widely used plugin underscores the importance of timely patching and access control hardening in WordPress environments.

For European organizations, the missing authorization vulnerability in the wpdevart Booking calendar plugin could lead to unauthorized disclosure of sensitive appointment and booking information, impacting customer privacy and potentially violating GDPR requirements. This exposure could damage organizational reputation and erode customer trust, especially in sectors handling sensitive personal data such as healthcare, legal services, and education. Although the vulnerability does not allow data modification or system disruption, the confidentiality breach alone can have regulatory and compliance consequences. Organizations relying on this plugin for managing appointments may face targeted reconnaissance or data harvesting by attackers exploiting this flaw. Given the plugin's popularity among small and medium enterprises using WordPress, the scope of affected systems in Europe is significant. The ease of exploitation without authentication or user interaction increases the likelihood of automated scanning and exploitation attempts. Consequently, the vulnerability could be leveraged for further attacks, such as social engineering or phishing campaigns using exposed data. The impact is thus primarily on confidentiality and privacy, with indirect effects on organizational trust and regulatory compliance.

European organizations should immediately inventory their WordPress installations to identify the presence and version of the wpdevart Booking calendar plugin. Until an official patch is released, organizations should implement strict access control measures at the web server or application firewall level to restrict access to booking calendar endpoints only to authorized users or IP ranges. Employing Web Application Firewalls (WAFs) with custom rules to detect and block unauthorized access attempts targeting the plugin's API or interface is recommended. Monitoring web server logs for unusual or unauthorized access patterns related to booking calendar URLs can help detect exploitation attempts early. Organizations should subscribe to vendor and security mailing lists to receive timely updates and apply patches as soon as they become available. Additionally, consider disabling or replacing the vulnerable plugin with alternative booking systems that have robust access control mechanisms. Conduct regular security audits and penetration testing focused on WordPress plugins to identify similar authorization issues proactively. Finally, ensure that all WordPress core and plugins are kept up to date to minimize exposure to known vulnerabilities.