Skip to main content

CVE-2025-6814: CWE-862 Missing Authorization in dunskii Booking X – Appointment and Reservation Availability Calendar

High
VulnerabilityCVE-2025-6814cvecve-2025-6814cwe-862
Published: Fri Jul 04 2025 (07/04/2025, 01:44:04 UTC)
Source: CVE Database V5
Vendor/Project: dunskii
Product: Booking X – Appointment and Reservation Availability Calendar

Description

The Booking X plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_now() function in versions 1.0 to 1.1.2. This makes it possible for unauthenticated attackers to download all plugin data, including user accounts, user meta, and PayPal credentials, by issuing a crafted POST request.

AI-Powered Analysis

AILast updated: 07/14/2025, 21:28:37 UTC

Technical Analysis

CVE-2025-6814 is a high-severity vulnerability affecting the Booking X – Appointment and Reservation Availability Calendar WordPress plugin developed by dunskii, specifically versions 1.0 through 1.1.2. The root cause is a missing authorization check (CWE-862) in the export_now() function, which is responsible for exporting plugin data. This flaw allows unauthenticated attackers to send a crafted POST request to the vulnerable endpoint and download all plugin-related data without any privilege verification. The exposed data includes sensitive user information such as user accounts, user meta data, and critically, PayPal credentials stored by the plugin. The vulnerability has a CVSS v3.1 base score of 7.5, reflecting its network exploitable nature (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact is primarily on confidentiality, as attackers can exfiltrate sensitive data, but integrity and availability are not directly affected. No known exploits are currently reported in the wild, but the ease of exploitation and the sensitivity of the data involved make this a significant threat. The vulnerability was published on July 4, 2025, shortly after being reserved on June 27, 2025, indicating recent discovery and disclosure. No official patches or updates have been linked yet, increasing the urgency for mitigation. Given that Booking X is a WordPress plugin, the attack surface includes any WordPress site running the affected versions of this plugin, which may be used by businesses for appointment scheduling and reservation management.

Potential Impact

For European organizations, this vulnerability poses a serious risk to data confidentiality, especially for businesses relying on the Booking X plugin to manage appointments and reservations. The exposure of user accounts and meta data can lead to identity theft, targeted phishing, and further compromise of user privacy, which is particularly sensitive under the GDPR regulatory framework. The disclosure of PayPal credentials is especially critical as it can lead to financial fraud, unauthorized transactions, and significant financial losses. Organizations in sectors such as healthcare, legal services, hospitality, and any customer-facing businesses that use this plugin are at heightened risk. The breach of personal data could also result in regulatory penalties and reputational damage. Since the vulnerability requires no authentication or user interaction, attackers can automate exploitation at scale, potentially affecting numerous European websites. The lack of patches means organizations must act quickly to mitigate exposure. Additionally, the vulnerability could be leveraged as an initial access vector for further attacks, including lateral movement or ransomware deployment, if attackers gain sufficient information from the stolen data.

Mitigation Recommendations

Immediate mitigation steps include: 1) Identifying all WordPress instances running the Booking X plugin version 1.0 to 1.1.2 and disabling or uninstalling the plugin until a patch is available. 2) Implementing Web Application Firewall (WAF) rules to block or monitor POST requests targeting the export_now() function or suspicious export endpoints. 3) Restricting access to the WordPress admin and plugin endpoints by IP whitelisting or VPN access where feasible. 4) Monitoring web server logs for unusual POST requests that could indicate exploitation attempts. 5) Rotating any exposed PayPal credentials and reviewing payment account activity for fraud. 6) Applying the principle of least privilege on WordPress user roles to limit potential damage from compromised accounts. 7) Staying updated with vendor advisories for official patches and applying them promptly once released. 8) Conducting security awareness training for administrators to recognize and respond to exploitation attempts. These measures go beyond generic advice by focusing on immediate containment, detection, and credential protection specific to this vulnerability.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Wordfence
Date Reserved
2025-06-27T15:57:14.714Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68673b5e6f40f0eb729e5fd8

Added to database: 7/4/2025, 2:24:30 AM

Last enriched: 7/14/2025, 9:28:37 PM

Last updated: 7/14/2025, 9:28:37 PM

Views: 16

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats