CVE-2025-14146 – The Booking Calendar WordPress plugin exposes s... (How to Fix)

Q: What is the severity of CVE-2025-14146?

CVE-2025-14146 has a CVSS score of 5.3 (MEDIUM). The Booking Calendar WordPress plugin exposes sensitive booking data to unauthenticated attackers due to disabled nonce verification by default. When the timeline popover feature is enabled (default in demo installations), attackers can extract customer names, email addresses, phone numbers, and booking details. All WordPress sites using Booking Calendar versions up to 10.14.10 are affected.

📋 TL;DR

The Booking Calendar WordPress plugin exposes sensitive booking data to unauthenticated attackers due to disabled nonce verification by default. When the timeline popover feature is enabled (default in demo installations), attackers can extract customer names, email addresses, phone numbers, and booking details. All WordPress sites using Booking Calendar versions up to 10.14.10 are affected.

💻 Affected Systems

Products:

Booking Calendar WordPress Plugin

Versions: All versions up to and including 10.14.10

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability requires the 'booking_is_show_popover_in_timeline_front_end' option to be enabled (default in demo installations, can be enabled by administrators).

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Mass exfiltration of all booking data including PII (names, emails, phones) leading to privacy violations, regulatory fines, and potential follow-on attacks using stolen contact information.

🟠

Likely Case

Unauthenticated attackers harvesting customer PII and booking details for spam, phishing, or identity theft campaigns.

🟢

If Mitigated

No data exposure if nonce verification is properly enabled or timeline popover feature is disabled.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted AJAX requests to the WPBC_FLEXTIMELINE_NAV endpoint without nonce verification.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.14.11 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3434934%40booking%2Ftrunk&old=3432649%40booking%2Ftrunk&sfp_email=&sfph_mail=#file2

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Booking Calendar and click 'Update Now' if available. 4. Alternatively, download version 10.14.11+ from WordPress.org and manually update.

🔧 Temporary Workarounds

Disable Timeline Popover Feature

all

Disable the vulnerable timeline popover feature in plugin settings

Navigate to Booking Calendar settings > Timeline > Front-end Timeline and disable 'Show popover in timeline front-end'

Enable Nonce Verification

all

Enable nonce verification for front-end AJAX requests

Navigate to Booking Calendar settings > Advanced > Security and enable 'booking_is_nonce_at_front_end' option

🧯 If You Can't Patch

Disable the Booking Calendar plugin entirely until patched
Implement WAF rules to block requests to WPBC_FLEXTIMELINE_NAV AJAX endpoint

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > Installed Plugins for Booking Calendar version. If version is 10.14.10 or lower, check if timeline popover feature is enabled.

Check Version:

wp plugin list --name=booking --field=version (if WP-CLI installed)

Verify Fix Applied:

Verify Booking Calendar version is 10.14.11 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual volume of AJAX requests to /wp-admin/admin-ajax.php with action=WPBC_FLEXTIMELINE_NAV
Requests without proper nonce parameters

Network Indicators:

HTTP POST requests to admin-ajax.php with WPBC_FLEXTIMELINE_NAV action from unauthenticated sources

SIEM Query:

source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND post_data="action=WPBC_FLEXTIMELINE_NAV" AND user_agent NOT CONTAINS "WordPress"

📊 Metadata

CVE ID: CVE-2025-14146

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-862

EPSS Score: 0.07% exploit probability (20.4th percentile)

Published: January 9, 2026

Last Updated: January 13, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14146, you might also want to check these: