CVE-2025-10124

The Booking Manager WordPress plugin before version 2.1.15 suffers from an incorrect authorization vulnerability. The plugin registers a shortcode that is intended to delete bookings, but it fails to properly restrict access to this functionality. As a result, the shortcode is made available to any user with contributor-level privileges or higher [1].

To exploit this vulnerability, an attacker with contributor or higher access to a WordPress site can embed the shortcode into a page or post. When any visitor (including the attacker themselves) loads that page, the shortcode executes and deletes all bookings managed by the plugin. No additional authentication or special permissions are required beyond the contributor role [1].

The impact of successful exploitation is the complete deletion of all booking data stored by the plugin. This can lead to significant data loss, disruption of business operations, and potential financial harm for sites that rely on the Booking Manager for reservations or appointments [1].

The vulnerability has been fixed in version 2.1.15 of the plugin. Users are strongly advised to update to this patched version immediately. The issue was discovered and reported by researcher Khaled Alenazi (Nxploited) [1].