CVE-2025-67581 identifies a missing authorization vulnerability in the themetechmount TrueBooker plugin, which is used for appointment booking on WordPress sites. The flaw arises from incorrectly configured access control security levels, allowing unauthenticated remote attackers to bypass authorization mechanisms. This can lead to unauthorized access to certain functionalities or data within the plugin, although the exact data exposure is limited to confidentiality impact without affecting integrity or availability. The vulnerability affects all versions up to and including 1.1.0. The CVSS 3.1 base score is 5.3 (medium), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and limited confidentiality impact. No known exploits have been reported in the wild, and no patches have been officially released as of the publication date. The vulnerability’s root cause is a failure to enforce proper access control checks on sensitive endpoints or functions, which is a common security oversight in web applications. Organizations using TrueBooker should be aware that attackers could remotely query or manipulate booking data without authentication, potentially leading to information disclosure or privacy violations. Given the plugin’s use in managing customer appointments, this could expose personal or business-sensitive scheduling information. The vulnerability does not allow modification or deletion of data, nor does it cause denial of service, limiting its overall impact. However, the ease of exploitation and lack of required privileges make it a notable risk. Monitoring for vendor patches and applying them promptly is essential once available.

For European organizations, the primary impact is the potential unauthorized disclosure of appointment booking information, which may include personal data protected under GDPR. This could lead to privacy breaches, reputational damage, and regulatory penalties. Although the vulnerability does not allow data modification or service disruption, the exposure of sensitive scheduling data could facilitate further targeted attacks such as social engineering or phishing. Service providers in healthcare, legal, or consulting sectors using TrueBooker may be particularly sensitive to such data leaks. The medium severity rating reflects the limited scope of impact but acknowledges the risk posed by unauthenticated remote exploitation. Organizations relying on TrueBooker for client management should consider the risk of unauthorized data access and the implications for compliance with European data protection laws. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits following public disclosure. The vulnerability could also undermine customer trust if appointment data is exposed, impacting business continuity and client relationships.

Since no official patches are currently available, European organizations should implement compensating controls immediately. These include restricting access to the TrueBooker plugin endpoints via web application firewalls (WAFs) or IP whitelisting to trusted networks only. Conduct thorough access control reviews and harden WordPress installations by disabling or limiting plugin functionalities that are not essential. Monitor web server and application logs for unusual or unauthorized access attempts targeting TrueBooker endpoints. Employ network segmentation to isolate systems running TrueBooker from critical infrastructure. Regularly back up appointment data and ensure backups are securely stored offline. Engage with the vendor to obtain updates on patch availability and apply patches promptly once released. Additionally, organizations should review their privacy policies and incident response plans to address potential data exposure incidents. User education on phishing risks related to leaked appointment data can reduce follow-on attack risks. Finally, consider alternative appointment booking solutions if immediate patching is not feasible and the risk is unacceptable.