CVE-2025-67597
Description
Missing Authorization vulnerability in Shahjahan Jewel Fluent Booking fluent-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fluent Booking: from n/a through <= 1.9.11.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Fluent Booking plugin for WordPress <=1.9.11 has a missing authorization vulnerability allowing unprivileged users to perform higher-privileged actions, patched in 1.10.0.
The Fluent Booking plugin for WordPress versions up to and including 1.9.11 contains a missing authorization vulnerability. The root cause is the lack of proper access control checks in certain functions, allowing users without the necessary privileges to execute actions intended for higher-level roles [1].
Exploitation does not require authentication or a privileged account; an unprivileged user can trigger the vulnerable functionality. The attack surface is any WordPress site running the affected plugin, and no special network position is needed. This type of broken access control is frequently targeted in mass-exploit campaigns [1].
Successful exploitation could allow an attacker to perform unauthorized actions, potentially leading to data exposure, configuration changes, or further compromise of the WordPress site. The impact is rated as medium severity with a CVSS v3 score of 4.3 [1].
Mitigation is straightforward: update the plugin to version 1.10.0 or later, which resolves the vulnerability. Patchstack recommends enabling auto-updates for vulnerable plugins. No workaround is available [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.9.11
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.