CVE-2025-67574

Overview

The Booking calendar, Appointment Booking System plugin for WordPress (versions ≤3.2.30) contains a missing authorization vulnerability. The issue arises from incorrect configuration of access control security levels, allowing attackers to bypass intended permission checks [1].

Exploitation

An attacker can exploit this broken access control without requiring authentication, as the plugin fails to properly verify user capabilities before granting access to certain functions or data. The vulnerability is classified under the 'Exploiting Incorrectly Configured Access Control Security Levels' category, indicating a systemic misconfiguration rather than a single missing check [1].

Impact

Successful exploitation could allow an unprivileged attacker to perform actions or access resources that should be restricted. While the CVSS score is 5.3 (Medium), the practical risk is elevated because this type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

The vendor has released version 3.2.31 which resolves the issue. Users are advised to update immediately. Patchstack users can enable auto-updates for affected plugins. No workarounds are provided if updating is not possible [1].