How to fix CVE-2025-14146?

Within 30 days: Identify affected systems running for WordPress is vulnerable to Sensitive Information Exposur and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Is PHP affected by CVE-2025-14146?

Organizations using for WordPress is vulnerable to Sensitive Information Exposure in all should be aware of moderate risk from CVE-2025-14146, a missing authorization vulnerability rated CVSS 5.3. Attackers could gain access beyond their authorized level.

CVE-2025-14146

MEDIUM

2026-01-09 [email protected]

5.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Jan 09, 2026 - 08:15 nvd

MEDIUM 5.3

Description

The Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.14.10 via the `WPBC_FLEXTIMELINE_NAV` AJAX action. This is due to the nonce verification being conditionally disabled by default (`booking_is_nonce_at_front_end` option is `'Off'` by default). When the `booking_is_show_popover_in_timeline_front_end` option is enabled (which is the default in demo installations and can be enabled by administrators), it is possible for unauthenticated attackers to extract sensitive booking data including customer names, email addresses, phone numbers, and booking details.

Analysis

The Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.14.10 via the WPBC_FLEXTIMELINE_NAV AJAX action. This is due to the nonce verification being conditionally disabled by default (booking_is_nonce_at_front_end option is 'Off' by default). When the booking_is_show_popover_in_timeline_front_end option is enabled (which is the default in demo installations and can be enabled by administrators), it is possible ...

Technical Context

This vulnerability (CWE-862: Missing Authorization) affects Booking Calendar (WordPress plugin). The Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.14.10 via the `WPBC_FLEXTIMELINE_NAV` AJAX action. This is due to the nonce verification being conditionally disabled by default (`booking_is_nonce_at_front_end` option is `'Off'` by default). When the `booking_is_show_popover_in_timeline_front_end` option is enabled (which is the default in demo installations and can be enabled by administrators), it is possible for

Affected Products

Vendor: WordPress. Product: Booking Calendar (WordPress plugin). Versions: up to 10.14.10.

Remediation

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +26

POC: 0

CVE-2025-14146 vulnerability details – vuln.today

Back

CVE-2025-14146

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-14146

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code