CVE-2025-67574 identifies a missing authorization vulnerability in the wpdevart Booking calendar and Appointment Booking System WordPress plugin, versions up to and including 3.2.30. The vulnerability arises from incorrectly configured access control security levels, which fail to properly restrict user permissions. This flaw allows an attacker to perform unauthorized actions within the booking system, such as viewing, modifying, or deleting booking data without proper credentials. The plugin is commonly used to manage appointments and bookings on WordPress sites, making it a critical component for many businesses. The lack of authorization checks means that attackers could exploit the system remotely if the plugin is publicly accessible, potentially leading to data leakage or manipulation. No public exploits have been reported yet, and no CVSS score has been assigned, but the vulnerability's nature suggests a significant risk. The issue was published on December 9, 2025, by Patchstack, with no patch links currently available, indicating that users must monitor vendor updates closely. The vulnerability affects the confidentiality and integrity of sensitive booking information and could disrupt business operations if exploited.

For European organizations, this vulnerability poses a serious risk to the confidentiality and integrity of customer booking data, which may include personally identifiable information (PII) and sensitive appointment details. Unauthorized access could lead to data breaches, reputational damage, and potential regulatory penalties under GDPR. The availability of the booking system could also be indirectly impacted if attackers manipulate or delete booking records, causing operational disruptions. Sectors such as healthcare, legal, education, and service industries that rely heavily on appointment scheduling are particularly vulnerable. The absence of authentication requirements for exploitation increases the threat level, as attackers can remotely target vulnerable sites without prior access. This could lead to widespread exploitation if the plugin is widely deployed across European businesses without timely mitigation. Additionally, compromised booking systems could be leveraged for further attacks, such as phishing or social engineering, by using stolen appointment data.

European organizations should immediately audit their WordPress installations to identify the presence of the wpdevart Booking calendar and Appointment Booking System plugin, especially versions up to 3.2.30. Until an official patch is released, administrators should restrict access to booking system endpoints using web application firewalls (WAFs) or IP whitelisting to limit exposure. Implement strict role-based access controls within WordPress to minimize permissions for users interacting with the booking plugin. Monitor logs for unusual access patterns or unauthorized actions related to the booking system. Consider temporarily disabling the plugin if it is not critical to operations. Stay informed through vendor advisories and Patchstack updates to apply patches promptly once available. Additionally, conduct regular backups of booking data to enable recovery in case of data manipulation or loss. Employ security plugins that can detect and block unauthorized access attempts and consider penetration testing to identify other potential weaknesses in the booking system integration.