CVE-2025-6814 is a high-severity vulnerability affecting the Booking X – Appointment and Reservation Availability Calendar WordPress plugin developed by dunskii, specifically versions 1.0 through 1.1.2. The root cause is a missing authorization check (CWE-862) in the export_now() function, which is responsible for exporting plugin data. This flaw allows unauthenticated attackers to send a crafted POST request to the vulnerable endpoint and download all plugin-related data without any privilege verification. The exposed data includes sensitive user information such as user accounts, user meta data, and critically, PayPal credentials stored by the plugin. The vulnerability has a CVSS v3.1 base score of 7.5, reflecting its network exploitable nature (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact is primarily on confidentiality, as attackers can exfiltrate sensitive data, but integrity and availability are not directly affected. No known exploits are currently reported in the wild, but the ease of exploitation and the sensitivity of the data involved make this a significant threat. The vulnerability was published on July 4, 2025, shortly after being reserved on June 27, 2025, indicating recent discovery and disclosure. No official patches or updates have been linked yet, increasing the urgency for mitigation. Given that Booking X is a WordPress plugin, the attack surface includes any WordPress site running the affected versions of this plugin, which may be used by businesses for appointment scheduling and reservation management.

For European organizations, this vulnerability poses a serious risk to data confidentiality, especially for businesses relying on the Booking X plugin to manage appointments and reservations. The exposure of user accounts and meta data can lead to identity theft, targeted phishing, and further compromise of user privacy, which is particularly sensitive under the GDPR regulatory framework. The disclosure of PayPal credentials is especially critical as it can lead to financial fraud, unauthorized transactions, and significant financial losses. Organizations in sectors such as healthcare, legal services, hospitality, and any customer-facing businesses that use this plugin are at heightened risk. The breach of personal data could also result in regulatory penalties and reputational damage. Since the vulnerability requires no authentication or user interaction, attackers can automate exploitation at scale, potentially affecting numerous European websites. The lack of patches means organizations must act quickly to mitigate exposure. Additionally, the vulnerability could be leveraged as an initial access vector for further attacks, including lateral movement or ransomware deployment, if attackers gain sufficient information from the stolen data.

Immediate mitigation steps include: 1) Identifying all WordPress instances running the Booking X plugin version 1.0 to 1.1.2 and disabling or uninstalling the plugin until a patch is available. 2) Implementing Web Application Firewall (WAF) rules to block or monitor POST requests targeting the export_now() function or suspicious export endpoints. 3) Restricting access to the WordPress admin and plugin endpoints by IP whitelisting or VPN access where feasible. 4) Monitoring web server logs for unusual POST requests that could indicate exploitation attempts. 5) Rotating any exposed PayPal credentials and reviewing payment account activity for fraud. 6) Applying the principle of least privilege on WordPress user roles to limit potential damage from compromised accounts. 7) Staying updated with vendor advisories for official patches and applying them promptly once released. 8) Conducting security awareness training for administrators to recognize and respond to exploitation attempts. These measures go beyond generic advice by focusing on immediate containment, detection, and credential protection specific to this vulnerability.