CVE-2025-39376

Vulnerability

Overview The Car Park Booking System for WordPress plugin suffers from a Missing Authorization vulnerability, categorized as a Broken Access Control issue [1]. The flaw exists in plugin functions that lack proper authorization or nonce token checks, enabling unprivileged users to execute actions intended for higher-privileged roles [1]. This affects plugin versions from n/a through 2.6.

Attack

Vector and Requirements Exploitation requires no authentication, as the missing authorization check allows any visitor to trigger protected functions [1]. The attack surface is the WordPress admin interface or AJAX handlers that fail to verify user capabilities. No special network position is needed; the vulnerability can be triggered over HTTP.

Impact

Successful exploitation allows an attacker to perform actions reserved for administrators, such as modifying booking data, altering plugin settings, or accessing sensitive information [1]. This can lead to partial loss of integrity and availability, consistent with the CVSS v3 base score of 4.3 (Medium).

Remediation

The vulnerability affects all versions up to and including 2.6. Users must update the plugin to a patched version as soon as possible [1]. If an update is unavailable, site administrators should consider temporary workarounds like restricting access to plugin endpoints or disabling the plugin until a fix is released [1].