CVE-2025-64261

Vulnerability

Overview The Appointment Booking Calendar plugin for WordPress versions up to and including 1.3.95 suffers from a missing authorization vulnerability. This flaw stems from incorrectly configured access control security levels, allowing unauthenticated or low-privileged users to perform actions that should require higher privileges [1].

Exploitation

Attackers can exploit this broken access control issue without needing authentication or by using a low-privileged account. The vulnerability is present in functions that lack proper authorization checks, nonce token checks or authorization verification, enabling unprivileged users to execute higher-privileged actions [1].

Impact

Successful exploitation could allow an attacker to modify booking settings, access sensitive data, or perform other administrative actions, depending on the specific to the plugin's functionality. The vulnerability is rated as medium severity (CVSS 5.4) and is considered low risk for exploitation, though it has been noted in mass-exploit campaigns [1].

Mitigation

The vendor has released version 1.3.96 which resolves the issue. Users are strongly advised to update immediately. For those unable to update, consulting a hosting provider or web developer is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].