CVE-2026-25444

Vulnerability

The WpBookingly plugin for WordPress (versions up to 1.2.9) contains a missing authorization vulnerability in its access control mechanisms [2]. This allows exploitation of incorrectly configured access control security levels, enabling unprivileged users to execute functions intended for higher-privileged roles [2]. The issue affects all versions through 1.2.9 [2].

Exploitation

An attacker can exploit this vulnerability by sending crafted HTTP requests to the WordPress site without requiring any authentication [2]. The exact functions affected are not publicly detailed, but the missing authorization checks allow an unprivileged user to perform actions that should be restricted to authenticated administrators [2].

Impact

Successful exploitation could lead to unauthorized access to administrative functionality, potentially allowing an attacker to modify bookings, settings, or other data within the plugin [2]. The impact is considered low severity and unlikely to be mass-exploited, but it still poses a risk to affected sites [2].

Mitigation

The vulnerability is fixed in version 1.3.0 of the plugin [2]. Users should update to version 1.3.0 or later immediately [2]. According to the WordPress plugin repository, version 1.3.1 is available as of 2026-05-22 [1]. No workarounds have been provided, and the plugin is not listed on the CISA Known Exploited Vulnerabilities catalog.