CVE-2025-54040

The Webba Booking plugin for WordPress (webba-booking-lite) versions through 5.1.20 contain a missing authorization vulnerability. The plugin fails to properly enforce access control security levels, allowing users to perform actions that should require higher privileges. This is classified as a broken access control issue, where authorization checks or nonce token validations are absent in certain functions [1].

Exploitation requires no authentication, making it accessible to any unprivileged user. The vulnerability is exposed via the plugin's functionality, and attackers can trigger it by sending crafted requests. Given that this is a WordPress plugin widely installed, the attack surface is significant, and the vulnerability is expected to be used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

Successful exploitation can allow an attacker to gain unauthorized access to administrative actions, potentially leading to full site compromise. The CVSS v3 base score of 6.5 reflects the moderate severity but high potential for widespread abuse. The vulnerability is particularly dangerous because it can be leveraged without authentication and is expected to be actively exploited [1].

The vendor has addressed this issue in version 5.1.22. Immediate updating to version 5.1.22 or later is strongly recommended. For those unable to update, Patchstack provides a mitigation rule to block attacks until a patch is applied. Users are advised to enable auto-updates for vulnerable plugins where possible [1].