Skip to main content

BookPro Plugin CVE-2025-66123

| EUVDEUVD-2025-210356 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-26 audit@patchstack.com GHSA-j2gp-7857-qprf
5.3
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.3 MEDIUM

Network-reachable endpoint requires no authentication; impact is read-only partial disclosure of booking records with no integrity or availability consequence.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 16:04 vuln.today

DescriptionCVE.org

Unauthenticated Insecure Direct Object References (IDOR) in BookPro <= 1.1.0 versions.

AnalysisAI

Unauthenticated IDOR in the BookPro WordPress plugin (versions ≤ 1.1.0) exposes arbitrary booking records to remote attackers without any authentication. By manipulating object reference identifiers in HTTP requests, an unauthenticated attacker can retrieve booking data belonging to other users, bypassing authorization entirely. No public exploit code or CISA KEV listing has been identified at time of analysis, and CVSS confirms the impact is limited to partial confidentiality disclosure with no integrity or availability consequence.

Technical ContextAI

CWE-639 (Authorization Through User-Controlled Key) describes a root cause where the application uses a user-supplied identifier - such as a booking ID in a URL parameter or POST body - to retrieve records without verifying that the authenticated (or in this case unauthenticated) requester owns or is authorized to access that record. In WordPress plugin contexts, this typically surfaces in REST API endpoints, AJAX handlers (wp-admin/admin-ajax.php), or form submission handlers that accept a numeric booking reference and return data based solely on that value. The CVSS vector AV:N/AC:L/PR:N/UI:N confirms the endpoint is publicly reachable with no prerequisite interaction or privilege. The 'Authentication Bypass' tag from Patchstack reinforces that no session or nonce validation gates the vulnerable endpoint.

RemediationAI

Patch available per vendor advisory - check the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/ovabookpro/vulnerability/wordpress-bookpro-plugin-1-1-0-insecure-direct-object-references-idor-vulnerability and the WordPress plugin repository for a version above 1.1.0 that addresses this flaw; an exact fixed version number was not confirmed in the provided data. If an update is not yet available or cannot be applied immediately, a compensating control is to restrict access to the booking endpoints via WAF rules or server-level IP allowlisting - note this may break legitimate customer booking flows for users outside allowed ranges. Alternatively, temporarily disabling the public-facing booking feature until a patch is applied eliminates the attack surface entirely at the cost of lost functionality. Site administrators should audit booking records for anomalous access patterns in the interim.

Share

CVE-2025-66123 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy