CVE-2025-39541

A missing authorization vulnerability exists in the WP Simple Booking Calendar plugin for WordPress, affecting versions up to and including 2.0.13 [1]. This flaw, categorized as a broken access control issue, stems from the plugin's failure to properly verify user permissions before executing certain functions, enabling unauthenticated or low-privileged users to bypass intended access restrictions [1].

The vulnerability does not require authentication and can be exploited remotely over HTTP. Attackers can leverage this missing authorization check to perform actions that should be restricted to higher-privileged users, such as modifying calendar settings or data [1]. The broad attack surface is underscored by the expectation that this vulnerability will be incorporated into mass-exploit campaigns targeting thousands of WordPress sites [1].

Successful exploitation allows an attacker to manipulate the booking calendar without proper authorization, potentially leading to data corruption, denial of service, or disruption of the site's booking functionality [1]. The CVSS v3 score of 6.5 (Medium) reflects the moderate but real risk, particularly in automated, large-scale attacks [1].

Mitigation is available: users must update the plugin to version 2.0.14 or later, which has addressed the authorization gap [1]. Plugin developers and site administrators are strongly advised to apply this update immediately to prevent exploitation. For those unable to update, Patchstack provides a virtual mitigation rule to block attacks, and auto-update features can be enabled for vulnerable plugins [1].