CVE-2025-6814 is a vulnerability identified in the Booking X – Appointment and Reservation Availability Calendar WordPress plugin developed by dunskii, affecting versions 1.0 through 1.1.2. The root cause is a missing authorization check (CWE-862) on the export_now() function, which is responsible for exporting plugin data. Due to the absence of capability verification, unauthenticated attackers can issue a specially crafted POST request to this function and retrieve all stored plugin data. This data includes sensitive information such as user accounts, user meta information, and PayPal credentials, which could be leveraged for further attacks or financial fraud. The vulnerability is remotely exploitable without any authentication or user interaction, increasing its risk profile. The CVSS v3.1 base score is 7.5, reflecting high severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The scope is unchanged, and the impact is primarily on confidentiality, with no direct impact on integrity or availability. No patches have been released at the time of publication, and no known exploits have been observed in the wild. The vulnerability was publicly disclosed on July 4, 2025, and was reserved on June 27, 2025. The plugin is widely used in WordPress environments for booking and reservation management, making the vulnerability relevant to many organizations relying on this software for appointment scheduling and e-commerce transactions.

The impact of CVE-2025-6814 is significant for organizations using the affected Booking X plugin versions. Unauthorized access to user accounts and metadata can lead to identity theft, phishing, and unauthorized account takeovers. Exposure of PayPal credentials poses a direct financial risk, potentially enabling fraudulent transactions or theft of funds. The confidentiality breach can damage organizational reputation and lead to regulatory penalties, especially under data protection laws like GDPR or CCPA. Since the vulnerability requires no authentication and can be exploited remotely, attackers can automate exploitation at scale, increasing the risk of widespread data breaches. Organizations relying on this plugin for customer bookings and payments may face operational disruptions if attackers leverage stolen credentials to manipulate bookings or payments. The absence of known exploits currently provides a window for proactive mitigation, but the ease of exploitation and sensitive data involved make this a critical threat to address promptly.

To mitigate CVE-2025-6814, organizations should immediately audit their WordPress installations to identify the presence of the Booking X plugin versions 1.0 through 1.1.2. If found, the plugin should be disabled or removed until a vendor patch is released. In the absence of an official patch, organizations can implement web application firewall (WAF) rules to block or monitor POST requests targeting the export_now() function endpoint or suspicious export data requests. Restricting access to the plugin’s export functionality by IP whitelisting or requiring authentication via custom code or security plugins can reduce risk. Regularly monitoring server logs for unusual POST requests and anomalous data export activity is critical for early detection. Organizations should also review and rotate PayPal credentials and other sensitive data potentially exposed. Finally, maintain up-to-date backups and prepare incident response plans to quickly address any exploitation attempts.