CVE-2025-6814 is a high-severity vulnerability affecting the Booking X – Appointment and Reservation Availability Calendar WordPress plugin developed by dunskii, specifically versions 1.0 through 1.1.2. The core issue is a missing authorization check (CWE-862) in the export_now() function, which is responsible for exporting plugin data. Due to the absence of proper capability verification, unauthenticated attackers can exploit this flaw by sending a crafted POST request to the vulnerable endpoint. This allows them to download sensitive plugin data without any authentication or user interaction. The exposed data includes user accounts, user metadata, and critically, PayPal credentials stored by the plugin. The vulnerability has a CVSS 3.1 base score of 7.5, reflecting its network exploitable nature (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high confidentiality impact (C:H) with no impact on integrity or availability. Although no known exploits are currently reported in the wild, the ease of exploitation and the sensitivity of the data exposed make this a significant threat. The vulnerability affects a widely used WordPress plugin that manages appointment and reservation calendars, often integrated into small and medium-sized business websites, including those in Europe. The lack of a patch link suggests that a fix may not yet be publicly available, increasing the urgency for mitigation.

For European organizations, especially small and medium enterprises (SMEs) that rely on WordPress and the Booking X plugin for managing appointments and reservations, this vulnerability poses a serious risk. Unauthorized access to user accounts and metadata can lead to privacy violations under GDPR, potentially resulting in regulatory fines and reputational damage. The exposure of PayPal credentials is particularly critical, as it could lead to financial fraud, unauthorized transactions, or theft of funds. Given the plugin's role in handling customer bookings, exploitation could also disrupt business operations and customer trust. The vulnerability's network accessibility and lack of required authentication mean attackers can remotely and stealthily extract sensitive data without alerting administrators. This could facilitate further attacks such as identity theft, phishing, or targeted fraud campaigns against European customers. The impact extends beyond individual businesses to their customers, potentially affecting data privacy on a broader scale within the European digital economy.

Immediate mitigation steps include: 1) Identifying and inventorying all WordPress instances using the Booking X plugin, specifically versions 1.0 to 1.1.2. 2) Temporarily disabling or uninstalling the plugin until a security patch is released. 3) Monitoring web server logs for suspicious POST requests targeting the export_now() function or similar endpoints. 4) Implementing Web Application Firewall (WAF) rules to block unauthorized POST requests to the plugin's export functionality. 5) Restricting access to the plugin's export endpoint by IP whitelisting or authentication proxies where feasible. 6) Reviewing and rotating any exposed PayPal credentials or API keys to prevent misuse. 7) Applying the vendor's patch immediately once available and verifying the presence of proper capability checks in the export_now() function. 8) Educating site administrators about the risk and encouraging regular plugin updates and security audits. These measures go beyond generic advice by focusing on immediate containment, detection, and credential protection tailored to this specific vulnerability.