CVE-2025-10124
📋 TL;DR
The Booking Manager WordPress plugin before version 2.1.15 contains a shortcode that deletes bookings when a page containing it is visited. This vulnerability allows any user with contributor-level privileges or higher to delete bookings without proper authorization. WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Booking Manager WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious contributor or higher-privileged user deletes all bookings, causing business disruption, data loss, and potential financial impact for booking-dependent businesses.
Likely Case
Accidental or intentional deletion of bookings by authorized users who shouldn't have this capability, leading to data loss and operational issues.
If Mitigated
Minimal impact if proper user access controls and monitoring are in place to detect unauthorized booking deletions.
🎯 Exploit Status
Exploitation requires contributor-level access and knowledge of the vulnerable shortcode. No authentication bypass needed beyond standard WordPress user roles.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.15
Vendor Advisory: https://wpscan.com/vulnerability/9bb0589f-34bb-40e1-b7f0-ee883b7b896c/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Booking Manager plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually update to version 2.1.15 or later from WordPress repository.
🔧 Temporary Workarounds
Remove Contributor Access
allTemporarily remove contributor-level access to booking management functions or demote users to subscriber role.
Disable Shortcode Execution
allRemove or disable the vulnerable shortcode from all pages/posts using WordPress content editor.
🧯 If You Can't Patch
- Implement strict user role management and limit contributor privileges
- Enable comprehensive logging and monitoring of booking deletions
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → Booking Manager version. If version is below 2.1.15, system is vulnerable.Check Version:
WordPress admin panel or wp plugin list --field=version --name='booking-manager' via WP-CLIVerify Fix Applied:
Confirm Booking Manager plugin version is 2.1.15 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unexpected booking deletions in plugin logs
- WordPress user activity logs showing contributors accessing booking-related functions
Network Indicators:
- HTTP requests to pages containing the vulnerable shortcode from contributor-level users
SIEM Query:
source="wordpress" AND (event="booking_deleted" OR event="shortcode_execution") AND user_role="contributor"