CVE-2025-68975 is a security vulnerability identified in the Eagle-Themes Eagle Booking plugin, a WordPress plugin used for managing bookings and reservations. The vulnerability is classified as an authorization bypass through a user-controlled key, meaning that an attacker can manipulate input parameters or keys that control access permissions to circumvent the intended access control mechanisms. This occurs due to incorrectly configured access control security levels within the plugin, allowing unauthorized users to access restricted features or data. The affected versions include all versions up to and including 1.3.4.3. The vulnerability does not require prior authentication or user interaction, which significantly lowers the barrier for exploitation. Although no CVSS score has been assigned yet and no known exploits have been observed in the wild, the nature of the flaw suggests a high risk. The flaw could allow attackers to perform unauthorized actions such as viewing, modifying, or deleting booking information or administrative data, potentially leading to data breaches or service disruption. The plugin is widely used in websites that require booking functionalities, including hotels, event organizers, and service providers. The lack of a patch or official fix at the time of publication necessitates immediate attention to access control configurations and monitoring for vendor updates.

For European organizations, especially those in the hospitality, travel, and event management sectors that utilize the Eagle Booking plugin, this vulnerability poses a significant risk. Unauthorized access could lead to exposure of sensitive customer data, manipulation of booking records, and potential disruption of business operations. This could result in reputational damage, regulatory penalties under GDPR for data breaches, and financial losses. Since the vulnerability does not require authentication, attackers can exploit it remotely without prior access, increasing the likelihood of widespread exploitation. Organizations relying on this plugin for critical booking functions may face operational interruptions if attackers alter or delete booking information. The impact extends to customer trust and compliance with European data protection laws, making timely mitigation essential.

European organizations should immediately audit their use of the Eagle Booking plugin and verify if their version is at or below 1.3.4.3. Until an official patch is released, administrators should implement strict access control policies at the web server or application firewall level to restrict access to booking management interfaces. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious parameter manipulation can reduce risk. Organizations should monitor logs for unusual access patterns or unauthorized attempts to access restricted booking functions. It is advisable to isolate the booking management system from other critical infrastructure where possible. Regular backups of booking data should be maintained to enable recovery in case of data tampering. Finally, organizations must stay alert for vendor updates or patches and apply them promptly once available.