CVE-2025-6814: CWE-862 Missing Authorization in dunskii Booking X – Appointment and Reservation Availability Calendar
The Booking X plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_now() function in versions 1.0 to 1.1.2. This makes it possible for unauthenticated attackers to download all plugin data, including user accounts, user meta, and PayPal credentials, by issuing a crafted POST request.
AI Analysis
Technical Summary
CVE-2025-6814 is a high-severity vulnerability affecting the Booking X – Appointment and Reservation Availability Calendar WordPress plugin developed by dunskii, specifically versions 1.0 through 1.1.2. The root cause is a missing authorization check (CWE-862) in the export_now() function, which is responsible for exporting plugin data. This flaw allows unauthenticated attackers to send a crafted POST request to the vulnerable endpoint and download all plugin-related data without any privilege verification. The exposed data includes sensitive user information such as user accounts, user meta data, and critically, PayPal credentials stored by the plugin. The vulnerability has a CVSS v3.1 base score of 7.5, reflecting its network exploitable nature (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact is primarily on confidentiality, as attackers can exfiltrate sensitive data, but integrity and availability are not directly affected. No known exploits are currently reported in the wild, but the ease of exploitation and the sensitivity of the data involved make this a significant threat. The vulnerability was published on July 4, 2025, shortly after being reserved on June 27, 2025, indicating recent discovery and disclosure. No official patches or updates have been linked yet, increasing the urgency for mitigation. Given that Booking X is a WordPress plugin, the attack surface includes any WordPress site running the affected versions of this plugin, which may be used by businesses for appointment scheduling and reservation management.
Potential Impact
For European organizations, this vulnerability poses a serious risk to data confidentiality, especially for businesses relying on the Booking X plugin to manage appointments and reservations. The exposure of user accounts and meta data can lead to identity theft, targeted phishing, and further compromise of user privacy, which is particularly sensitive under the GDPR regulatory framework. The disclosure of PayPal credentials is especially critical as it can lead to financial fraud, unauthorized transactions, and significant financial losses. Organizations in sectors such as healthcare, legal services, hospitality, and any customer-facing businesses that use this plugin are at heightened risk. The breach of personal data could also result in regulatory penalties and reputational damage. Since the vulnerability requires no authentication or user interaction, attackers can automate exploitation at scale, potentially affecting numerous European websites. The lack of patches means organizations must act quickly to mitigate exposure. Additionally, the vulnerability could be leveraged as an initial access vector for further attacks, including lateral movement or ransomware deployment, if attackers gain sufficient information from the stolen data.
Mitigation Recommendations
Immediate mitigation steps include: 1) Identifying all WordPress instances running the Booking X plugin version 1.0 to 1.1.2 and disabling or uninstalling the plugin until a patch is available. 2) Implementing Web Application Firewall (WAF) rules to block or monitor POST requests targeting the export_now() function or suspicious export endpoints. 3) Restricting access to the WordPress admin and plugin endpoints by IP whitelisting or VPN access where feasible. 4) Monitoring web server logs for unusual POST requests that could indicate exploitation attempts. 5) Rotating any exposed PayPal credentials and reviewing payment account activity for fraud. 6) Applying the principle of least privilege on WordPress user roles to limit potential damage from compromised accounts. 7) Staying updated with vendor advisories for official patches and applying them promptly once released. 8) Conducting security awareness training for administrators to recognize and respond to exploitation attempts. These measures go beyond generic advice by focusing on immediate containment, detection, and credential protection specific to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Sweden
CVE-2025-6814: CWE-862 Missing Authorization in dunskii Booking X – Appointment and Reservation Availability Calendar
Description
The Booking X plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_now() function in versions 1.0 to 1.1.2. This makes it possible for unauthenticated attackers to download all plugin data, including user accounts, user meta, and PayPal credentials, by issuing a crafted POST request.
AI-Powered Analysis
Technical Analysis
CVE-2025-6814 is a high-severity vulnerability affecting the Booking X – Appointment and Reservation Availability Calendar WordPress plugin developed by dunskii, specifically versions 1.0 through 1.1.2. The root cause is a missing authorization check (CWE-862) in the export_now() function, which is responsible for exporting plugin data. This flaw allows unauthenticated attackers to send a crafted POST request to the vulnerable endpoint and download all plugin-related data without any privilege verification. The exposed data includes sensitive user information such as user accounts, user meta data, and critically, PayPal credentials stored by the plugin. The vulnerability has a CVSS v3.1 base score of 7.5, reflecting its network exploitable nature (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact is primarily on confidentiality, as attackers can exfiltrate sensitive data, but integrity and availability are not directly affected. No known exploits are currently reported in the wild, but the ease of exploitation and the sensitivity of the data involved make this a significant threat. The vulnerability was published on July 4, 2025, shortly after being reserved on June 27, 2025, indicating recent discovery and disclosure. No official patches or updates have been linked yet, increasing the urgency for mitigation. Given that Booking X is a WordPress plugin, the attack surface includes any WordPress site running the affected versions of this plugin, which may be used by businesses for appointment scheduling and reservation management.
Potential Impact
For European organizations, this vulnerability poses a serious risk to data confidentiality, especially for businesses relying on the Booking X plugin to manage appointments and reservations. The exposure of user accounts and meta data can lead to identity theft, targeted phishing, and further compromise of user privacy, which is particularly sensitive under the GDPR regulatory framework. The disclosure of PayPal credentials is especially critical as it can lead to financial fraud, unauthorized transactions, and significant financial losses. Organizations in sectors such as healthcare, legal services, hospitality, and any customer-facing businesses that use this plugin are at heightened risk. The breach of personal data could also result in regulatory penalties and reputational damage. Since the vulnerability requires no authentication or user interaction, attackers can automate exploitation at scale, potentially affecting numerous European websites. The lack of patches means organizations must act quickly to mitigate exposure. Additionally, the vulnerability could be leveraged as an initial access vector for further attacks, including lateral movement or ransomware deployment, if attackers gain sufficient information from the stolen data.
Mitigation Recommendations
Immediate mitigation steps include: 1) Identifying all WordPress instances running the Booking X plugin version 1.0 to 1.1.2 and disabling or uninstalling the plugin until a patch is available. 2) Implementing Web Application Firewall (WAF) rules to block or monitor POST requests targeting the export_now() function or suspicious export endpoints. 3) Restricting access to the WordPress admin and plugin endpoints by IP whitelisting or VPN access where feasible. 4) Monitoring web server logs for unusual POST requests that could indicate exploitation attempts. 5) Rotating any exposed PayPal credentials and reviewing payment account activity for fraud. 6) Applying the principle of least privilege on WordPress user roles to limit potential damage from compromised accounts. 7) Staying updated with vendor advisories for official patches and applying them promptly once released. 8) Conducting security awareness training for administrators to recognize and respond to exploitation attempts. These measures go beyond generic advice by focusing on immediate containment, detection, and credential protection specific to this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-06-27T15:57:14.714Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68673b5e6f40f0eb729e5fd8
Added to database: 7/4/2025, 2:24:30 AM
Last enriched: 7/14/2025, 9:28:37 PM
Last updated: 7/14/2025, 9:28:37 PM
Views: 16
Related Threats
CVE-2025-34126: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in RIPS Technologies RIPS Scanner
HighCVE-2025-47189: n/a
HighCVE-2025-54066: CWE-601: URL Redirection to Untrusted Site ('Open Redirect') in DIRACGrid diracx-web
MediumCVE-2025-34127: CWE-121 Stack-based Buffer Overflow in Achat Software Achat Chat Server
CriticalCVE-2025-54061: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in LabRedesCefetRJ WeGIA
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.