Login Sign Up

CVE-2025-14982

4.3 MEDIUM
Authentication Bypass

📋 TL;DR

The Booking Calendar plugin for WordPress has a missing authorization vulnerability that allows authenticated users with Subscriber-level access or higher to view all booking records containing sensitive personal information. This exposes PII including names, email addresses, phone numbers, addresses, payment details, and booking hashes belonging to other users. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:
  • Booking Calendar WordPress Plugin
Versions: All versions up to and including 10.14.11
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with Booking Calendar plugin. Vulnerability exists in default configuration.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Mass data breach where attackers exfiltrate all booking records containing sensitive PII, leading to identity theft, financial fraud, regulatory penalties, and reputational damage.

🟠

Likely Case

Unauthorized viewing of booking records by low-privileged users or compromised accounts, resulting in privacy violations and potential targeted phishing attacks.

🟢

If Mitigated

Limited exposure if proper access controls and monitoring are in place, with only minimal data accessed before detection.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access (Subscriber role or higher). Attack path is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.14.12 or later

Vendor Advisory: https://wordpress.org/plugins/booking/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Booking Calendar plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download latest version from WordPress plugin repository and manually update.

🔧 Temporary Workarounds

Restrict User Registration

all

Disable new user registration or require admin approval to limit potential attackers with Subscriber access.

Temporary Plugin Deactivation

all

Deactivate Booking Calendar plugin until patched if immediate update not possible.

🧯 If You Can't Patch

  • Implement strict access controls and monitor user activity for suspicious booking record access patterns.
  • Consider migrating to alternative booking plugins with proper authorization checks while awaiting patch.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for Booking Calendar version. If version is 10.14.11 or lower, system is vulnerable.

Check Version:

wp plugin list --name=booking --field=version (if WP-CLI installed)

Verify Fix Applied:

Verify Booking Calendar plugin version is 10.14.12 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual access patterns to booking records by Subscriber-level users
  • Multiple booking data queries from single user account

Network Indicators:

  • Unusual outbound data transfers containing booking-related data

SIEM Query:

source="wordpress" AND (event="booking_access" OR event="plugin_activity") AND user_role="subscriber" AND data_volume>threshold

📊 Metadata

CVE ID: CVE-2025-14982
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-862
EPSS Score: 0.05% exploit probability (13.9th percentile)
Published: January 16, 2026
Last Updated: January 16, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14982, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)