High severity7.5NVD Advisory· Published Jul 4, 2025· Updated Apr 15, 2026

CVE-2025-6814

Description

The Booking X plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_now() function in versions 1.0 to 1.1.2. This makes it possible for unauthenticated attackers to download all plugin data, including user accounts, user meta, and PayPal credentials, by issuing a crafted POST request.

Affected products

WordPress/Booking Xreferences
Package: https://wordpress.org/plugins/booking-x

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/booking-x/tags/1.1.2/admin/class-bookingx-admin.phpnvd
plugins.trac.wordpress.org/browser/booking-x/tags/1.1.2/includes/class-bookingx.phpnvd
wordpress.org/plugins/booking-x/nvd
www.wordfence.com/threat-intel/vulnerabilities/id/6a30d572-e086-4b83-8cb7-4cef9a3253bdnvd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000