CVE-2025-67581

Vulnerability

Overview The TrueBooker appointment booking plugin for WordPress, versions up to and including 1.1.0, contains a missing authorization vulnerability. The root cause is a broken access control mechanism, where the plugin fails to properly verify user permissions or nonce tokens before executing certain higher-privileged actions [1]. This flaw falls under the category of incorrectly configured access control security levels.

Exploitation

Conditions An attacker does not need any special privileges to exploit this vulnerability. The missing authorization check allows an unauthenticated or low-privileged user to perform actions that should be restricted to higher-privileged roles, such as administrators. The attack surface is the WordPress admin interface or AJAX endpoints exposed by the plugin, which lack proper capability checks [1].

Impact

Successful exploitation enables an attacker to bypass of intended access restrictions, potentially leading to unauthorized modification of booking data, settings, or other sensitive operations. The CVSS v3 base score is 5.3 (Medium), indicating a moderate severity. While the vulnerability is considered low risk and unlikely to be widely exploited, it could be used in mass-exploit campaigns targeting thousands of sites [1].

Mitigation

The vendor has released version 1.1.1 which addresses the issue. Users are strongly advised to update immediately. For Patchstack users, enabling auto-update for vulnerable plugins is recommended. If unable to update, contacting the hosting provider or web developer for assistance is advised [1].