CVE-2025-66530

The Webba Booking plugin for WordPress (webba-booking-lite) versions up to and including 6.2.1 contain a missing authorization vulnerability. The plugin fails to properly enforce access control checks on certain functions, allowing exploitation of incorrectly configured security levels [1]. This broken access control issue means that the plugin does not verify whether a user has the necessary privileges before executing a higher-privileged action [1].

Attackers can exploit this vulnerability without authentication, as the missing authorization check does not require a valid user session. The attack surface is the WordPress admin interface, where unprivileged users or even unauthenticated visitors may trigger functions intended for administrators [1]. No special network position is required; the attack can be carried out remotely over HTTP.

Successful exploitation could allow an attacker to perform actions that should be restricted to higher-privileged users, such as modifying booking settings or accessing sensitive data. The CVSS v3 base score of 4.3 (Medium) reflects the limited direct impact, but the vulnerability is known to be used in mass-exploit campaigns targeting thousands of websites [1].

The vendor has released version 6.2.2 which resolves the issue. Users are strongly advised to update to this version immediately. If updating is not possible, a workaround is to consult a hosting provider or web developer for assistance [1]. Patchstack users can enable auto-updates for vulnerable plugins.