CVE-2025-6814: CWE-862 Missing Authorization in dunskii Booking X – Appointment and Reservation Availability Calendar
The Booking X plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_now() function in versions 1.0 to 1.1.2. This makes it possible for unauthenticated attackers to download all plugin data, including user accounts, user meta, and PayPal credentials, by issuing a crafted POST request.
AI Analysis
Technical Summary
CVE-2025-6814 is a high-severity vulnerability affecting the Booking X – Appointment and Reservation Availability Calendar WordPress plugin developed by dunskii, specifically versions 1.0 through 1.1.2. The core issue is a missing authorization check (CWE-862) in the export_now() function, which is responsible for exporting plugin data. Due to the absence of proper capability verification, unauthenticated attackers can exploit this flaw by sending a crafted POST request to the vulnerable endpoint. This allows them to download sensitive plugin data without any authentication or user interaction. The exposed data includes user accounts, user metadata, and critically, PayPal credentials stored by the plugin. The vulnerability has a CVSS 3.1 base score of 7.5, reflecting its network exploitable nature (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high confidentiality impact (C:H) with no impact on integrity or availability. Although no known exploits are currently reported in the wild, the ease of exploitation and the sensitivity of the data exposed make this a significant threat. The vulnerability affects a widely used WordPress plugin that manages appointment and reservation calendars, often integrated into small and medium-sized business websites, including those in Europe. The lack of a patch link suggests that a fix may not yet be publicly available, increasing the urgency for mitigation.
Potential Impact
For European organizations, especially small and medium enterprises (SMEs) that rely on WordPress and the Booking X plugin for managing appointments and reservations, this vulnerability poses a serious risk. Unauthorized access to user accounts and metadata can lead to privacy violations under GDPR, potentially resulting in regulatory fines and reputational damage. The exposure of PayPal credentials is particularly critical, as it could lead to financial fraud, unauthorized transactions, or theft of funds. Given the plugin's role in handling customer bookings, exploitation could also disrupt business operations and customer trust. The vulnerability's network accessibility and lack of required authentication mean attackers can remotely and stealthily extract sensitive data without alerting administrators. This could facilitate further attacks such as identity theft, phishing, or targeted fraud campaigns against European customers. The impact extends beyond individual businesses to their customers, potentially affecting data privacy on a broader scale within the European digital economy.
Mitigation Recommendations
Immediate mitigation steps include: 1) Identifying and inventorying all WordPress instances using the Booking X plugin, specifically versions 1.0 to 1.1.2. 2) Temporarily disabling or uninstalling the plugin until a security patch is released. 3) Monitoring web server logs for suspicious POST requests targeting the export_now() function or similar endpoints. 4) Implementing Web Application Firewall (WAF) rules to block unauthorized POST requests to the plugin's export functionality. 5) Restricting access to the plugin's export endpoint by IP whitelisting or authentication proxies where feasible. 6) Reviewing and rotating any exposed PayPal credentials or API keys to prevent misuse. 7) Applying the vendor's patch immediately once available and verifying the presence of proper capability checks in the export_now() function. 8) Educating site administrators about the risk and encouraging regular plugin updates and security audits. These measures go beyond generic advice by focusing on immediate containment, detection, and credential protection tailored to this specific vulnerability.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Sweden
CVE-2025-6814: CWE-862 Missing Authorization in dunskii Booking X – Appointment and Reservation Availability Calendar
Description
The Booking X plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_now() function in versions 1.0 to 1.1.2. This makes it possible for unauthenticated attackers to download all plugin data, including user accounts, user meta, and PayPal credentials, by issuing a crafted POST request.
AI-Powered Analysis
Technical Analysis
CVE-2025-6814 is a high-severity vulnerability affecting the Booking X – Appointment and Reservation Availability Calendar WordPress plugin developed by dunskii, specifically versions 1.0 through 1.1.2. The core issue is a missing authorization check (CWE-862) in the export_now() function, which is responsible for exporting plugin data. Due to the absence of proper capability verification, unauthenticated attackers can exploit this flaw by sending a crafted POST request to the vulnerable endpoint. This allows them to download sensitive plugin data without any authentication or user interaction. The exposed data includes user accounts, user metadata, and critically, PayPal credentials stored by the plugin. The vulnerability has a CVSS 3.1 base score of 7.5, reflecting its network exploitable nature (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high confidentiality impact (C:H) with no impact on integrity or availability. Although no known exploits are currently reported in the wild, the ease of exploitation and the sensitivity of the data exposed make this a significant threat. The vulnerability affects a widely used WordPress plugin that manages appointment and reservation calendars, often integrated into small and medium-sized business websites, including those in Europe. The lack of a patch link suggests that a fix may not yet be publicly available, increasing the urgency for mitigation.
Potential Impact
For European organizations, especially small and medium enterprises (SMEs) that rely on WordPress and the Booking X plugin for managing appointments and reservations, this vulnerability poses a serious risk. Unauthorized access to user accounts and metadata can lead to privacy violations under GDPR, potentially resulting in regulatory fines and reputational damage. The exposure of PayPal credentials is particularly critical, as it could lead to financial fraud, unauthorized transactions, or theft of funds. Given the plugin's role in handling customer bookings, exploitation could also disrupt business operations and customer trust. The vulnerability's network accessibility and lack of required authentication mean attackers can remotely and stealthily extract sensitive data without alerting administrators. This could facilitate further attacks such as identity theft, phishing, or targeted fraud campaigns against European customers. The impact extends beyond individual businesses to their customers, potentially affecting data privacy on a broader scale within the European digital economy.
Mitigation Recommendations
Immediate mitigation steps include: 1) Identifying and inventorying all WordPress instances using the Booking X plugin, specifically versions 1.0 to 1.1.2. 2) Temporarily disabling or uninstalling the plugin until a security patch is released. 3) Monitoring web server logs for suspicious POST requests targeting the export_now() function or similar endpoints. 4) Implementing Web Application Firewall (WAF) rules to block unauthorized POST requests to the plugin's export functionality. 5) Restricting access to the plugin's export endpoint by IP whitelisting or authentication proxies where feasible. 6) Reviewing and rotating any exposed PayPal credentials or API keys to prevent misuse. 7) Applying the vendor's patch immediately once available and verifying the presence of proper capability checks in the export_now() function. 8) Educating site administrators about the risk and encouraging regular plugin updates and security audits. These measures go beyond generic advice by focusing on immediate containment, detection, and credential protection tailored to this specific vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-06-27T15:57:14.714Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68673b5e6f40f0eb729e5fd8
Added to database: 7/4/2025, 2:24:30 AM
Last enriched: 7/4/2025, 2:39:34 AM
Last updated: 7/4/2025, 3:55:30 AM
Views: 3
Related Threats
CVE-2025-6673: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in nikelschubert Easy restaurant menu manager
MediumCVE-2025-53600: CWE-346 Origin Validation Error in NAVER NAVER Whale browser
UnknownCVE-2025-53599: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in NAVER NAVER Whale browser
UnknownCVE-2025-5372: Incorrect Calculation in Red Hat Red Hat Enterprise Linux 10
MediumCVE-2025-6944: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in undsgn Uncode Core
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.